1. Overview

The Prisma Cloud Intelligence Stream provides timely vulnerability data collected and processed from a variety of certified upstream sources. Prisma Cloud continuously pulls data from the relevant sources to provide the most accurate results.

In addition to the information collected from official feeds, Prisma Cloud feeds are enriched with vulnerability data curated by our dedicated research team. Our Unit 42 security researchers monitor cloud and open source projects to identify security issues through a variety of automated and manual means. We can detect new vulnerabilities that were only recently disclosed, and even vulnerabilities that were quietly patched.

2. Pre-filled CVEs

In Prisma Cloud you may find vulnerabilities with a CVE identifier that MITRE or NVD is not reporting (or is actively analysing). This is the result of analysis our Unit 42 researchers conducted. The researchers manually review the details of each vulnerability, identify the correct range of affected releases and deliver the data to our feeds.

Let’s examine an example scenario. Security researchers find a vulnerability in an open source project. The vulnerability details are publicly discussed in the project’s bug tracker, e.g. in a GitHub issue. Following the discussion, the issue is fixed and a CVE ID is assigned to the issue. At this stage, NVD analysis takes place, and it may take multiple days for the NVD site to update with description and the affected releases range (CPE). Instead of waiting for the official analysis to complete, our researchers input the data into Prisma feeds quickly, and prevent any delay in remediation of the vulnerability. When the NVD entry is fully updated, Prisma uses the official data from NVD.

The following diagram shows the PRISMA ID assignment flow:

prisma id assignment flow

Thanks to this effort, with Prisma Cloud, you are able to protect yourself from new vulnerabilities much faster than with any other tool.

3. PRISMA-* IDs

You may also find vulnerabilities marked with a PRISMA-* identifier. These vulnerabilities lack a CVE ID. Many vulnerabilities are publicly discussed or patched without a CVE ever being assigned to them. While monitoring open source vulnerabilities, our team identifies vulnerabilities you need to be aware of, and assigns PRISMA IDs to them whenever applicable.

For example, let’s review PRISMA-2021-0020. A user found a bug in the Python package click and opened an issue through its open source repository in GitHub. Our research team found this issue and determined it explains a valid security vulnerability. Although no CVE was assigned to this vulnerability, our team promptly assigned it a PRISMA identifier, and analysed the correct range of affected releases. Affected customers were alerted of this vulnerability despite the lack of any public vulnerability identifier.

If a CVE is ever assigned to a same PRISMA vulnerability, the CVE takes over and the PRISMA entry is fully replaced by it.

4. PRISMA-* ID Syntax

PRISMA ID syntax consists of the PRISMA prefix, year of release and a sequence of four digits. For example, "PRISMA-2020-1234". This format is intentionally similar to that used by CVE IDs. There is absolutely no correlation between the sequence used for PRISMA IDs to that of CVEs released the same year. There is also no grouping of PRISMA IDs. That is, there is no correlation between adjacent PRISMA ID sequences.

5. Investigating PRISMA-* Vulnerabilities

The vulnerability description includes the necessary information required to understand the vulnerability. The vulnerability’s severity is carefully determined by our team based on CVSS scoring. You may also access the ID link to find the original source that resulted in the assignment of the PRISMA ID. This will likely be an external advisory, a GitHub (or other bug tracker) issue, or it may directly lead you to the fix commit (pull request) when there is no correlating informational page.

6. Upcoming developments

The following features are in our development pipeline.

  • Auto-updating rules with PRISMA-* IDs to new CVEs.

  • Viewing the past PRISMA IDs of CVEs in the UI.