Document:Prisma Cloud Administrator’s Guide (Compute)

Prisma Cloud vulnerability feed

Filter

Welcome
- Getting started
- Compute SaaS maintenance updates
- NAT gateway IP addresses
- Product architecture
- Support lifecycle
- Security Assurance Policy on Prisma Cloud Compute
- Licensing
- Prisma Cloud Enterprise Edition vs Compute Edition
- Utilities and plugins
Install
- Getting started
- System Requirements
- Cluster Context
- Deploy Prisma Cloud Defenders
Upgrade
- Support lifecycle for connected components
- Upgrade process
- Kubernetes
- OpenShift
- Helm charts
- Amazon ECS
- Upgrade the Single Container Defenders
- Upgrade Defender DaemonSets
- Upgrade Defender DaemonSets (Helm)
Agentless Scanning
- Agentless Scanning Modes
- Onboard Accounts for Agentless Scanning
- Agentless Scanning Results
Technology overviews
- Intelligence Stream
- Prisma Cloud Advanced Threat Protection
- App-specific network intelligence
- Container Runtimes
- Radar
- Serverless Radar
- Prisma Cloud Rules Guide - Docker
- Defender architecture
- Host Defender architecture
- TLS v1.2 cipher suites
- Telemetry
Configure
- Rule ordering and pattern matching
- Backup and restore
- Custom feeds
- Configuring Prisma Cloud proxy settings
- Prisma Cloud Compute certificates
- Configure scanning
- User certificate validity period
- Enable HTTP access to Console
- Set different paths for Defender and Console (with DaemonSets)
- Authenticate to Console with certificates
- Customize terminal output
- Collections
- Tags
- WildFire Settings
- Log Scrubbing
- Permissions by feature
Authentication
- Access keys
- Prisma Cloud Compute User Roles
- Compute user roles
- Assign roles
- Credentials Store
Cloud Service Providers
- Cloud discovery
- Use Cloud Service Provider Accounts in Prisma Cloud
Vulnerability management
- Prisma Cloud vulnerability feed
- Scanning Procedure
- Vulnerability Management Policies
- Vulnerability Scan Reports
- Scan Images for Custom Vulnerabilities
- Base images
- Vulnerability Explorer
- CVSS scoring
- CVE Viewer
- Registry scanning
- Configure VM image scanning
- Configure code repository scanning
- Malware scanning
- Windows container image scanning
- Serverless function scanning
- VMware Tanzu Blobstore Scanning
- Scan App-Embedded workloads
- Troubleshoot vulnerability detection
Access control
- Role-based access control for Docker Engine
- Admission control with Open Policy Agent
Compliance
- Compliance Explorer
- Enforce compliance checks
- CIS Benchmarks
- Prisma Cloud Labs compliance checks
- Serverless functions compliance checks
- Windows compliance checks
- DISA STIG compliance checks
- Custom compliance checks
- Trusted images
- Host scanning
- VM image scanning
- App-Embedded scanning
- Detect secrets
- OSS license management
Runtime defense
- Runtime defense for containers
- Runtime defense for hosts
- Runtime defense for serverless functions
- Runtime defense for App-Embedded
- Event Aggregation
- Custom runtime rules
- Import and export individual rules
- ATT&CK Explorer
- Runtime Audits
- Image analysis sandbox
- Incident Explorer
- Incident types
Continuous integration
- Jenkins plugin
- Jenkins Freestyle project
- Jenkins Maven project
- Jenkins Pipeline project
- Run Jenkins in a container
- Jenkins pipeline on Kubernetes
- CI plugin policy
- Code repo scanning
WAAS
- Web-Application and API Security (WAAS)
- Deploy WAAS
- WAAS Explorer
- App Firewall Settings
- API Protection
- DoS protection
- Bot Protection
- WAAS Access Controls
- Advanced Settings
- WAAS Analytics
- API Discovery
- API definition scan
- WAAS custom rules
- Detecting unprotected web apps
- WAAS Sensitive Data
Firewalls
- Cloud Native Network Segmentation (CNNS)
Secrets
- Secrets manager
- Integrate with secrets stores
- Secrets Stores
- Inject secrets into containers
- Injecting secrets: end-to-end example
Alerts
- Alert mechanism
- AWS Security Hub
- Cortex XDR alerts
- Cortex XSOAR alerts
- Email alerts
- Google Cloud Pub/Sub
- Google Cloud Security Command Center
- IBM Cloud Security Advisor
- JIRA Alerts
- PagerDuty alerts
- ServiceNow alerts for Security Incident Response
- ServiceNow alerts for Vulnerability Response
- Slack Alerts
- Splunk Alerts
- Webhook alerts
Audit
- Event viewer
- Host activity
- Administrative activity audit trail
- Annotate audit event records
- Delete audit logs
- Syslog and stdout integration
- Log rotation
- Throttling audits
- Prometheus
- Kubernetes auditing
Tools
- twistcli
- Scan Images with twistcli
- Scan code repos with twistcli
- Scan Infrastructure as Code (IaC)
Deployment patterns
- Best practices for DNS and certificate management
- Storage limits for audits and reports
- Performance planning
API
Howto
- Disable automatic learning
- Debug data

Prisma Cloud vulnerability feed

Information on threat intelligence and vulnerability data on Prisma Cloud is available through the Prisma Cloud Intelligence Stream(IS) feed. You can search for specific CVE on the CVE Viewer.

Pre-filled CVEs

On Prisma Cloud, you may find vulnerabilities with a CVE identifier that neither MITRE nor NVD is reporting or is actively analyzing. A pre-filled CVE is the result of an analysis conducted by Palo Alto Networks Unit 42 researchers. The researchers manually review the details of each vulnerability, identify the correct range of affected releases and deliver the data to IS.

Many vulnerabilities in open-source software are assigned with a CVE ID and promptly analyzed by NVD and Linux distribution vendors. However, some vulnerabilities take a long time to be analyzed, sometimes weeks or even months. Having a CVE but no analysis means users have no information on the severity, affected releases, or description of the vulnerability and thereby making it impossible to defend against these vulnerabilities.

Let’s examine an example scenario. Security researchers find a vulnerability in an open-source project. The vulnerability details are publicly discussed in the project’s bug tracker, e.g. in a GitHub issue. Following the discussion, the issue is fixed and a CVE ID is assigned to the issue. At this stage, NVD analysis takes place, and it may take multiple days for the NVD site to be updated with a description and the affected releases range (CPE). Instead of waiting for the official analysis to complete, our researchers evaluate the vulnerability and insert the data into Prisma Cloud feeds quickly, preventing any delay in remediation of the vulnerability. When the NVD entry is fully updated, Prisma Cloud uses the official data from NVD.

PRISMA-* IDs

You may also find vulnerabilities marked with a PRISMA-* identifier. These vulnerabilities lack a CVE ID. Many vulnerabilities are publicly discussed or patched without a CVE ever being assigned to them. While monitoring open-source vulnerabilities, our team identifies vulnerabilities you need to be aware of and assigns PRISMA IDs to them whenever applicable.

For example, let’s review PRISMA-2021-0020. A user found a bug in the Python package click and opened an issue through its open-source repository on GitHub. Our research team found this issue and determined it explains a valid security vulnerability. Although no CVE was assigned to this vulnerability, our team promptly assigned it a PRISMA identifier and analyzed the correct range of affected releases. Affected customers were alerted to this vulnerability despite the lack of any public vulnerability identifier. If a CVE is ever assigned to the same vulnerability that has a Prisma ID, the CVE takes over and the PRISMA ID entry is fully replaced. Read more about the correlation between PRISMA IDs and CVEs in this blog post.

The following diagram shows the PRISMA ID and Pre-filled CVEs assignment flow:

PRISMA-* ID Syntax

PRISMA ID syntax consists of the PRISMA prefix, year of release, and a sequence of four digits. For example, "PRISMA-2020-1234". This format is intentionally similar to that used by CVE IDs. There is absolutely no correlation between the sequence used for PRISMA IDs to that of CVEs released the same year. There is also no grouping of PRISMA IDs. That is, there is no correlation between adjacent PRISMA ID sequences.

Investigating PRISMA-* Vulnerabilities

The vulnerability description includes the necessary information required to understand the vulnerability. The severity is carefully determined by our team based on CVSS scoring. You may also access the ID link to find the original source that resulted in the assignment of the PRISMA ID. This will likely be an external advisory, a GitHub (or another bug tracker) issue, or it may directly lead you to the fix commit (pull request) when there is no correlating informational page.

Supported Packages and Languages

The following list shows the application types that are currently supported. You can view all the packages installed on an image or host in Scan reports under Monitor > Vulnerabilities > Images/Hosts
.

Package
- supported Operating Systems packages, such as an RPM (Red Hat and derived distributions), dpkg/deb (Debian and derived distributions), or apk (Alpine Linux).

Jar
- the Java Archive format, which is a zip file with a standard structure. The war file format, or web app archive, is also supported.

Python
- a Python library.

Nodejs
- a Node.js library.

Gem
- a Ruby gem library.

Go
- a GoLang library

App
- a binary associated with a well-known application, such as Nginx or PostgreSQL.

For an application that originates from an OS package, the vulnerability data for CVEs are sourced from the relevant feed for the OS package. In some cases, like with Amazon Linux and Photon OS, this CVE information is provided in security advisories such as Amazon Linux Security Advisories (ALAS) for Amazon, and PHSA for Photon. In such cases, the correlation for the relevant vulnerabilities is limited. As an example, when the application "Python" is sourced from an Amazon Python package, CVEs found for the python application (as a binary) will not be correlated with the relevant Amazon CVEs from the ALAS.

Unpackaged software

Typically, the software is added to container images and hosts with a package manager, such as apt, yum, and npm. Prisma Cloud typically uses the package manager’s metadata to discover installed components and versions, and compares this data against a real-time CVE feed in the Intelligence Stream(IS).

Sometimes, you might install software without a package manager. For example, the software might be built from a source and then added to an image with the Dockerfile ADD instruction, or your developers might unzip software from a tarball to a location on a host, and utilize the application. In these cases, there is no package manager data associated with the application.

Prisma Cloud uses a variety of analysis techniques to detect metadata about software not installed by package managers. These are purpose-built differently for images and hosts.

This analysis augments existing vulnerability detection and blocking mechanisms, giving you a single view of all vulnerabilities, regardless of how the software is installed (distro’s package manager, language runtime package manager, or without a package manager).

Supported apps

The type of applications supported in the IS are:

.NET Core

ASP.NET Core

BusyBox

Consul

CRI-O

Docker

Istio

OMI

Vault

Websphere Application Server

Webshpere Open Liberty

Kubernetes

OpenShift

Jenkins

Envoy

Hashicorp Vault

Hashicorp Consul

WordPress

Redis

Nginx

Mongo

MySQL

Httpd

Java- Oracle, openJDK

Apache

Postgres

Document:Prisma Cloud Administrator’s Guide (Compute)

Prisma Cloud vulnerability feed

Table of Contents

Prisma Cloud vulnerability feed

Pre-filled CVEs

PRISMA-* IDs

PRISMA-* ID Syntax

Investigating PRISMA-* Vulnerabilities

Supported Packages and Languages

Unpackaged software

Supported apps