topic Re: Vulnerability found on Firewall Need to address in Advanced Threat Prevention Discussions

Vulnerability found on Firewall Need to address

SahulH — Sat, 30 Jan 2021 07:27:36 GMT

Hi Team,

We are getting following vulnerabilities on one of our PA Firewall. Kindly suggest the next PoA regarding mentioned vulnerabilities.

Plugin	Plugin Name	Family	Severity	IP Address	Type
84502	HSTS Missing From HTTPS Server	Web Servers	Medium	x.x.x.x	Palo Alto
136929	JQuery 1.2 < 3.5.0 Multiple XSS	CGI abuses : XSS	Medium	x.x.x.x	Palo Alto

Kindly review and share us with your inputs. Awaiting for response !!

Best Regards,

Sahul Hameed

Re: Vulnerability found on Firewall Need to address

laurence64 — Tue, 02 Feb 2021 11:05:47 GMT

Hi,

I am wondering if you could share a little more info,

What scanner is this ?

Am I correct in assuming you are scanning the mgmt of the PA ?

What Version of code is your PA running ?

Re: Vulnerability found on Firewall Need to address

SahulH — Wed, 03 Feb 2021 09:49:14 GMT

@laurence64-- Please find the answer for your queries below.

What scanner is this ? -- Ans.. Nessus Vulnerability Scanner

Am I correct in assuming you are scanning the mgmt of the PA ? Ans.. Yes, scanned the MGMT interface only

What Version of code is your PA running ? Ans.. PAN OS 9.1.3-h1

Do let us know if you need any other information. Awaiting for your reply !!

Best Regards,

Sahul Hameed

Re: Vulnerability found on Firewall Need to address

mivaldi — Wed, 03 Feb 2021 20:40:43 GMT

HSTS issue was resolved in 9.1.5

JQuery is targeted to be resolved in 9.1.8

Re: Vulnerability found on Firewall Need to address

SahulH — Thu, 04 Feb 2021 09:11:28 GMT

@mivaldiHi,

Will try by upgrading the firewall to 9.1.5 to see whether it helps us on this.

Also can you please share me with the reference document that points this point that HSTS issue was resolved in 9.1.5 and JQuery is targeted to resolved in 9.1.8 software code. This will help us for reference.

Best Regards,

Sahul Hameed

Re: Vulnerability found on Firewall Need to address

mivaldi — Thu, 04 Feb 2021 18:28:41 GMT

The release notes for 9.1.5 didn't include it but it was issue PAN-110168. I tested it in the lab and I actually see it was fixed earlier than stated in our notes (I see it fixed in 9.1.4, where the "Strict-Transport-Security: max-age=31536000" header is included).

For jQuery the issue id is PAN-147254 and the fix has not been released yet, however, we released a Security Advisory letting our customers know that even though the version of jQuery is outdated, the conditions required for exploiting this vulnerability in jQuery do not exist in PAN-OS. You can find this information in https://security.paloaltonetworks.com/PAN-SA-2020-0007.

Re: Vulnerability found on Firewall Need to address

LCMember2975 — Tue, 19 Oct 2021 17:26:00 GMT

Is there a fix for this in the 8.1.x train? or are we required to upgrade to 9.1.x?

Re: Vulnerability found on Firewall Need to address

ymiyashita — Wed, 20 Oct 2021 00:45:58 GMT

PAN-110168 was fixed in PAN-OS 8.1.9. It can be found in the release note.
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-release-notes/pan-os-8-1-addressed-issues/pan-os-8-1-9-addressed-issues.html

PAN-147254: jQuery was upgraded to 3.5.1 in PAN-OS 8.1.19.
At this time, OSS listing still shows 3.4.1. Palo Alto Networks is working on the documentation.
https://docs.paloaltonetworks.com/oss-listings/pan-os-oss-listings/pan-os-8-1-open-source-software-oss-listing.html