Security Assurance Policy on Prisma Cloud Compute
Prisma Cloud adheres to the guidelines outlined in the Palo Alto Networks Product Security Assurance Policy.
In accordance with this policy, Prisma Cloud Compute may have security releases outside of the regular release schedule.
Security releases are used for the sole purpose of remediating vulnerabilities that affect Prisma Cloud Compute, whether in its codebase or its dependencies.
We frequently analyze new vulnerabilities between releases to determine if any issue warrants a security release before the next scheduled release. This section outlines which issues are addressed in security releases.
With each new release of Prisma Cloud Compute, software dependencies are kept up-to-date to eliminate any known and confirmed vulnerabilities in third-party dependencies.
When new vulnerabilities are discovered in Prisma Cloud Compute dependencies after an official release, these vulnerabilities are addressed in the newer releases with the exceptions noted below.
Therefore, as a best practice, always upgrade to the latest release of Prisma Cloud Compute.
New releases of Prisma Cloud Compute are signed off with up-to-date dependencies. Vulnerabilities that meet the below criteria are analyzed between releases:
- Any vulnerability with severity high and above, regardless of having a fix or not.
- Any vulnerability with moderate severity when a fix is available.
Vulnerabilities Not Analyzed
- Any vulnerability with severity lower than high that does not have an existing fix.
- Any vulnerability with severity low or unimportant.
We also review vulnerabilities of any other severity when there is a known exploit or proof-of-concept that is affects Prisma Cloud Compute. Including product vulnerabilities identified during development, reported by customers or third-party researchers. To report a vulnerability in Prisma Cloud Compute, submit the vulnerability details to our PSIRT team.
Frequently Asked Questions
- Which Prisma Cloud Compute releases receive security updates?
Prisma Cloud has an 'n-2' support policy that means the current release ('n') and the previous two releases ('n-1' and 'n-2') receive support. Security fixes will be backported only for supported releases. End of Life (EOL) releases will not receive security fixes. For more information, see support lifecycle.
Are security fixes provided for both Prisma Cloud Enterprise and Compute editions?
Yes, security vulnerabilities are addressed in both the editions.
Do I have to upgrade my console/defender to get security updates?
If security fixes are released, you may be required to upgrade either or both the Console and Defender. We recommend that all security releases are adopted immediately. For the full details of which vulnerabilities were fixed in a release, refer to the
What is the minimum severity for vulnerabilities to warrant a security release?
See triage criteria above.
What is the frequency of security releases for Prisma Cloud Compute?
There is no schedule for security releases. Security releases happens anytime a new vulnerability that meets the criteria outlined above is discovered in Prisma Cloud Compute.
Where do you take information on severity and fix details when triaging?
Console and Defender images are based on Red Hat Universal Base Images. For known vulnerabilities that are assigned a CVE identifier, we rely on severity ratings and fixes released by Red Hat. For zero-days or undocumented vulnerabilities (such as PRISMA-IDs), we rely on severity determined by our researchers.
A new vulnerability is affecting Prisma Cloud Compute, but a security release was not issued.If the vulnerability affects the latest release, meets the criteria for a security release outlined above, but it has not yet been addressed: please report it through to Palo Alto Networks Support or to PSIRT.