* [Blog](https://www2.paloaltonetworks.com/blog)
* [Cloud Security](https://www2.paloaltonetworks.com/blog/cloud-security/)
* [Cloud Workload Protection Platform](https://www2.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/)
* Managing Vulnerabilities ...

# Managing Vulnerabilities in Unstable Releases and Cutting-Edge Packages With Prisma Cloud

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fsecuring-unstable-releases%2F)  
[](https://twitter.com/share?text=Managing+Vulnerabilities+in+Unstable+Releases+and+Cutting-Edge+Packages+With+Prisma+Cloud&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fsecuring-unstable-releases%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fcloud-security%2Fsecuring-unstable-releases%2F&title=Managing+Vulnerabilities+in+Unstable+Releases+and+Cutting-Edge+Packages+With+Prisma+Cloud&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/cloud-security/securing-unstable-releases/&ts=markdown)  
\[\](mailto:?subject=Managing Vulnerabilities in Unstable Releases and Cutting-Edge Packages With Prisma Cloud)  
Link copied  
By [Shaul Ben Hai](https://www.paloaltonetworks.com/blog/author/shaul-ben-hai/?ts=markdown "Posts by Shaul Ben Hai")  
Jan 04, 2022  
6 minutes  
[Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown)  
[Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)  
[CVE](https://www.paloaltonetworks.com/blog/tag/cve/?ts=markdown)  
[Debian](https://www.paloaltonetworks.com/blog/tag/debian/?ts=markdown)  
[Open Source](https://www.paloaltonetworks.com/blog/tag/open-source/?ts=markdown)  
[Releases](https://www.paloaltonetworks.com/blog/tag/releases/?ts=markdown)  
[Vulnerability Management](https://www.paloaltonetworks.com/blog/tag/vulnerability-management/?ts=markdown)

### Executive Summary

The unstable release, as its name implies, is an OS distro release where active development takes place. Unsurprisingly, it is also the most volatile release version. It often happens that images contain unstable package versions; those packages expose the image to vulnerabilities and may expose its users to risk. In this blog post, I will discuss a case of a vulnerable unstable OS package in the Redis image that was caught by the Prisma Cloud.

### Debian Backports and Releases

Debian is a Linux distribution composed of free and open-source software.

Debian has three main releases: "stable", "testing" and "unstable".

* \*\*Stable:\*\*Up-to-date and recent Debian version.
* \*\*Testing:\*\*Packages from unstable releases that have been tested will move to the Testing release.
* \*\*Unstable:\*\*Release where active development takes place. This kind of release is most prone to vulnerabilities.

As of the time of writing this post, the most recent version of Debian is Debian version 11, codenamed "Bullseye".

Once a package reaches the testing release, it's possible to build and include a backport of that package to stable release. Backports track testing release and only package versions included in testing are allowed in it.

The backport goal is to add features that are only offered in a new version, not a replacement for getting fixes into stable release.

The naming convention is: "~bpo${release}+${build}" to the version number, e.g., "4.5-6" becomes "4.5-6~bpo11+1" (or use dch --bpo).

### Redis Image

Redis is an open-source key-value store that functions as a data structure server.

The latest Redis image has been recently upgraded to use Debian 11 bullseye as a base-image, and contains several packages vulnerable to known vulnerabilities, such as: glibc, krb5, pam, perl etc.

Prisma Cloud scanned Redis image and found that it contains the pam package in version 1.4.0-9, which according to the Debian CVE tracker, is vulnerable to CVE-2020-36394.

We tested multiple open-source vulnerability scanning tools, but only Prisma identified pam packages as vulnerable. Prisma Cloud found that pam source package is used in 4 other packages.

![Figure 1. Prisma Cloud package information](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/01/table-description-automatically-generated-4.png)
Figure 1. Prisma Cloud package information

As you can see in the screenshot below, the vulnerable package version is 1.4.0-9+deb11u1.

![Figure 2. Debian CVE tracker](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/01/table-description-automatically-generated-5.png)
Figure 2. Debian CVE tracker

From further look at the CVE notes we find that the vulnerable code was introduced and fixed in v1.4.0.
![Figure 3. Debian CVE notes](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/01/graphical-user-interface-description-automaticall-2.png)
Figure 3. Debian CVE notes

### Unique Vulnerability Identification or False-Positive

In the Prisma Cloud research team, we regularly analyze vulnerabilities to determine the validity of their description and information, as well as to determine the correct ranges and packages so they are properly applied to Prisma Cloud users.

For this CVE, Debian mentioned that the vulnerable code was introduced and fixed in v1.4.0.

An attacker can set a quota on an arbitrary filesystem, in certain situations where the attacker's home directory is a FUSE filesystem mounted under /home.

![Figure 4. Pam package vulnerable code](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/01/text-description-automatically-generated-10.png)
Figure 4. Pam package vulnerable code

And was part of the "new module to set or modify disk quotas on session start" commit.

![Figure 5. commit message](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/01/graphical-user-interface-text-application-descr-2.png)
Figure 5. commit message

According to NVD, the vulnerable package depends on the package build date:

*"...pam\_setquota.c in the pam\_setquota module before* ***2020-05-29*** *for Linux-PAM allows local attackers to set their quota on an arbitrary filesystem, in certain situations where the attacker's home directory is a FUSE filesystem mounted under /home..."*

At Debian bug tracker there is no reference for this issue because from linux-pam side, the vulnerable code was introduced and fixed in the same version.

Pam 1.4.0-9 is a testing package and is vulnerable to CVE-2020-36394.

The official fix was introduced only at the stable version of Debian pam version: 1.4.0-9+deb11u1.

![Figure 6. Debian package information](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/01/graphical-user-interface-application-description-2.png)
Figure 6. Debian package information

The Prisma Cloud engine successfully identifies pam 1.4.0-9 as a vulnerable package, and it is the only tool we tested that discovered this vulnerability.

Unstable releases are complex and hard to analyze, however, Prisma Cloud managed to uniquely discover this vulnerability compared to other scanners.

### Remediating the Vulnerability

Next, we will determine if Prisma Cloud detects that image was updated when the vulnerability was patched.

1. Pulling the relevant Redis image tag: redis@sha:0c0484b1d1ff36faace984fe9d8e0fe58892ecc34a4859b97171045b9cd343e1

![Figure 7. Pulling redis image](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/01/word-image-2.png)
Figure 7. Pulling redis image

2. Verifying libpam version.
   ![Figure 8. pam package verification](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/01/text-description-automatically-generated-11.png)
   Figure 8. pam package verification

3. Prisma Cloud identified the pam package as vulnerable.
   ![Figure 9. Prisma Pam package identification](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/01/graphical-user-interface-text-application-email-4.png)
   Figure 9. Prisma Pam package identification

4. Upgrade pam package
   ![    Figure 10.1. Pam package upgrade](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/01/text-description-automatically-generated-12.png)
   Figure 10.1. Pam package upgrade

![        Figure 10.2. Pam package upgrade](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/01/text-description-automatically-generated-13.png)
Figure 10.2. Pam package upgrade

5. If we will verify the libpam version again, we can notice it's upgraded to the fixed version.
   ![ Figure 11. Pam package new version verification](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/01/text-description-automatically-generated-14.png)
   Figure 11. Pam package new version verification

6. Checking again the Prisma Cloud Console, the vulnerability is gone.
   ![    Figure 12. Prisma Cloud vulnerable package view ](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/01/graphical-user-interface-text-application-email-5.png)
   Figure 12. Prisma Cloud vulnerable package view

### Conclusion

Accurate vulnerability identification is a critical part in supply chain security. It is the first necessary step to cloud security, keeping your code safe from known and unknown vulnerabilities. Proper vulnerability management is another part of the chain. The more synergy there is between the two, the safer your deployments will be.

Even more when it comes to Linux distribution. There are so many differences in how every distribution maintains and manages packages. Those differences can include the way they disclosed, solved, and patched security vulnerabilities. Packages can be backported on some distros and can be available only for specific releases, or even from an external repository, it all joins the way every distro handles security issues for its own components.

The cost of incorrect identification (false positives) is very high for security teams. Tools that bombard security teams with inapplicable vulnerabilities are time consuming and, in some cases, they can cause unnecessary down time, incorrectly alerting on high severity vulnerabilities. On the other hand, the cost of lack of identification (false negatives) is even higher, as leaving applications exposed to unpatched vulnerabilities presents the highest security risk in the supply chain.

Prisma Cloud researchers track and scan packages in each distribution and keep you protected even in very complex scenarios... For more information about Prisma Cloud open source vulnerability management and how it keeps your cloud safer, read more on [vulnerability management with Prisma Cloud.](https://www.paloaltonetworks.com/blog/prisma-cloud/open-source-vulnerability-management/).

*** ** * ** ***

## Related Blogs

### [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [Data Security](https://www.paloaltonetworks.com/blog/category/data-security/?ts=markdown)

[#### From PRISMA-ID to CVE: Identifying Open Source Vulnerabilities](https://www2.paloaltonetworks.com/blog/cloud-security/open-source-vulnerabilities/)

### [CAS](https://www.paloaltonetworks.com/blog/cloud-security/category/cas/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### Elevate Cybersecurity with PRISMA IDs](https://www2.paloaltonetworks.com/blog/cloud-security/prisma-ids-vulnerability-management/)

### [Cloud Computing](https://www.paloaltonetworks.com/blog/category/cloud-computing-2/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown)

[#### Open Source Vulnerability Management for Cloud Security](https://www2.paloaltonetworks.com/blog/cloud-security/open-source-vulnerability-management/)

### [API Security](https://www.paloaltonetworks.com/blog/cloud-security/category/api-security/?ts=markdown), [Application Security](https://www.paloaltonetworks.com/blog/cloud-security/category/application-security/?ts=markdown), [Cloud Workload Protection](https://www.paloaltonetworks.com/blog/category/cloud-workload-protection/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [Code Security](https://www.paloaltonetworks.com/blog/cloud-security/category/code-security/?ts=markdown), [Code to Cloud](https://www.paloaltonetworks.com/blog/cloud-security/category/code-to-cloud/?ts=markdown)

[#### API Security and Threat Intelligence Reduce Attack Surface in Prisma Cloud Workload Protection Release](https://www2.paloaltonetworks.com/blog/cloud-security/api-security-threat-intel-reduce-attack-surface/)

### [Cloud Native Security Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-native-security-platform/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown), [Secure the Cloud](https://www.paloaltonetworks.com/blog/category/secure-the-cloud/?ts=markdown)

[#### OWASP Top 10:2021 -- What's New](https://www2.paloaltonetworks.com/blog/cloud-security/owasp-top-102021-whats-new/)

### [Cloud Computing](https://www.paloaltonetworks.com/blog/category/cloud-computing-2/?ts=markdown), [Cloud Workload Protection Platform](https://www.paloaltonetworks.com/blog/cloud-security/category/cloud-workload-protection-platform/?ts=markdown)

[#### Cloud Vulnerability Management for Hosts](https://www2.paloaltonetworks.com/blog/cloud-security/cloud-vulnerability-management/)

### Subscribe to Cloud Security Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language