Prisma Cloud vulnerability feed
Information on threat intelligence and vulnerability data on Prisma Cloud is available through the Prisma Cloud Intelligence Stream(IS) feed. You can search for specific CVE on the CVE Viewer.
On Prisma Cloud, you may find vulnerabilities with a CVE identifier that neither MITRE nor NVD is reporting or is actively analyzing. A pre-filled CVE is the result of an analysis conducted by Palo Alto Networks Unit 42 researchers. The researchers manually review the details of each vulnerability, identify the correct range of affected releases and deliver the data to IS.
Many vulnerabilities in open-source software are assigned with a CVE ID and promptly analyzed by NVD and Linux distribution vendors. However, some vulnerabilities take a long time to be analyzed, sometimes weeks or even months. Having a CVE but no analysis means users have no information on the severity, affected releases, or description of the vulnerability and thereby making it impossible to defend against these vulnerabilities.
Let’s examine an example scenario. Security researchers find a vulnerability in an open-source project. The vulnerability details are publicly discussed in the project’s bug tracker, e.g. in a GitHub issue. Following the discussion, the issue is fixed and a CVE ID is assigned to the issue. At this stage, NVD analysis takes place, and it may take multiple days for the NVD site to be updated with a description and the affected releases range (CPE). Instead of waiting for the official analysis to complete, our researchers evaluate the vulnerability and insert the data into Prisma Cloud feeds quickly, preventing any delay in remediation of the vulnerability. When the NVD entry is fully updated, Prisma Cloud uses the official data from NVD.
You may also find vulnerabilities marked with a PRISMA-* identifier. These vulnerabilities lack a CVE ID. Many vulnerabilities are publicly discussed or patched without a CVE ever being assigned to them. While monitoring open-source vulnerabilities, our team identifies vulnerabilities you need to be aware of and assigns PRISMA IDs to them whenever applicable.
For example, let’s review PRISMA-2021-0020. A user found a bug in the Python package click and opened an issue through its open-source repository on GitHub. Our research team found this issue and determined it explains a valid security vulnerability. Although no CVE was assigned to this vulnerability, our team promptly assigned it a PRISMA identifier and analyzed the correct range of affected releases. Affected customers were alerted to this vulnerability despite the lack of any public vulnerability identifier. If a CVE is ever assigned to the same vulnerability that has a Prisma ID, the CVE takes over and the PRISMA ID entry is fully replaced. Read more about the correlation between PRISMA IDs and CVEs in this blog post.
The following diagram shows the PRISMA ID and Pre-filled CVEs assignment flow:
PRISMA-* ID Syntax
PRISMA ID syntax consists of the PRISMA prefix, year of release, and a sequence of four digits. For example, "PRISMA-2020-1234". This format is intentionally similar to that used by CVE IDs. There is absolutely no correlation between the sequence used for PRISMA IDs to that of CVEs released the same year. There is also no grouping of PRISMA IDs. That is, there is no correlation between adjacent PRISMA ID sequences.
Investigating PRISMA-* Vulnerabilities
The vulnerability description includes the necessary information required to understand the vulnerability. The severity is carefully determined by our team based on CVSS scoring. You may also access the ID link to find the original source that resulted in the assignment of the PRISMA ID. This will likely be an external advisory, a GitHub (or another bug tracker) issue, or it may directly lead you to the fix commit (pull request) when there is no correlating informational page.
Supported Packages and Languages
The following list shows the application types that are currently supported. You can view all the packages installed on an image or host in Scan reports under
Monitor > Vulnerabilities > Images/Hosts.
- Package- supported Operating Systems packages, such as an RPM (Red Hat and derived distributions), dpkg/deb (Debian and derived distributions), or apk (Alpine Linux).
- Jar- the Java Archive format, which is a zip file with a standard structure. The war file format, or web app archive, is also supported.
- Python- a Python library.
- Nodejs- a Node.js library.
- Gem- a Ruby gem library.
- Go- a GoLang library
- App- a binary associated with a well-known application, such as Nginx or PostgreSQL.
For an application that originates from an OS package, the vulnerability data for CVEs are sourced from the relevant feed for the OS package. In some cases, like with Amazon Linux and Photon OS, this CVE information is provided in security advisories such as Amazon Linux Security Advisories (ALAS) for Amazon, and PHSA for Photon. In such cases, the correlation for the relevant vulnerabilities is limited. As an example, when the application "Python" is sourced from an Amazon Python package, CVEs found for the python application (as a binary) will not be correlated with the relevant Amazon CVEs from the ALAS.
Typically, the software is added to container images and hosts with a package manager, such as apt, yum, and npm. Prisma Cloud typically uses the package manager’s metadata to discover installed components and versions, and compares this data against a real-time CVE feed in the Intelligence Stream(IS).
Sometimes, you might install software without a package manager. For example, the software might be built from a source and then added to an image with the Dockerfile ADD instruction, or your developers might unzip software from a tarball to a location on a host, and utilize the application. In these cases, there is no package manager data associated with the application.
Prisma Cloud uses a variety of analysis techniques to detect metadata about software not installed by package managers. These are purpose-built differently for images and hosts.
This analysis augments existing vulnerability detection and blocking mechanisms, giving you a single view of all vulnerabilities, regardless of how the software is installed (distro’s package manager, language runtime package manager, or without a package manager).
The type of applications supported in the IS are:
- .NET Core
- ASP.NET Core
- Websphere Application Server
- Webshpere Open Liberty
- Hashicorp Vault
- Hashicorp Consul
- Java- Oracle, openJDK