https://live.paloaltonetworks.com/t5/general-topics/pan-os-10-2-preferred-release-vs-vulnerabilities/m-p/1222790#M123514 <P>Hello,</P> <P>Here is what I do to see what gets patched etc. I first look a the vulnerability and see to what degree I am affected. If we look at CVE-2025-0108, the main issue is "<SPAN>an unauthenticated attacker with network access to the management web interface to bypass the authentication". Since I have my management interfaces protected by the PAN and policies allowed via user-id, its a very low impact for me. Meaning I only allow those who should/do have access already so not a big deal.</SPAN></P> <P>&nbsp;</P> <P><SPAN>So if there was not a preferred release that has the patch applied, I could wait since the likelihood of this being exploited is extremely low to nonexistent.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Happy to discuss how to protect the management interface if you wish. Maybe I'll write and article on it?</SPAN></P> <P>&nbsp;</P> <P><SPAN>Hope this helps.</SPAN></P> Wed, 05 Mar 2025 15:21:21 GMT OtakarKlier 2025-03-05T15:21:21Z https://live.paloaltonetworks.com/t5/general-topics/pan-os-10-2-preferred-release-vs-vulnerabilities/m-p/1222744#M123505 <P>Hello everyone,</P> <P>&nbsp;</P> <P>&nbsp; maybe this is a silly question, but as far as I can see the current PAN-OS 10.2 preferred release dates back in november and does not include fixes for recently discovered vulnerabilities (CVE-2025-0108, for example). I usually put a vulnerability protection profile in front of my management networks, but this vulnerability is not covered by any threat prevention signature. To my understandings, this means that running the currently preferred release leaves the firewall vulnerable to this particular threat. Am I right or am I missing something?</P> <P>&nbsp;</P> <P>Kind regards</P> Wed, 05 Mar 2025 09:40:30 GMT https://live.paloaltonetworks.com/t5/general-topics/pan-os-10-2-preferred-release-vs-vulnerabilities/m-p/1222744#M123505 grenzi 2025-03-05T09:40:30Z https://live.paloaltonetworks.com/t5/general-topics/pan-os-10-2-preferred-release-vs-vulnerabilities/m-p/1222767#M123509 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/61214">@grenzi</a>&nbsp;,</P> <P>&nbsp;</P> <P>Here's the advisory for&nbsp;CVE-2025-0108:</P> <P><A href="https://security.paloaltonetworks.com/CVE-2025-0108" target="_blank">https://security.paloaltonetworks.com/CVE-2025-0108</A></P> <P>&nbsp;</P> <P>You will find 10.2 versions listed here that are unaffected by the vulnerability.</P> <P>&nbsp;</P> <P>Kind regards,</P> <P>-Kim.</P> Wed, 05 Mar 2025 11:51:56 GMT https://live.paloaltonetworks.com/t5/general-topics/pan-os-10-2-preferred-release-vs-vulnerabilities/m-p/1222767#M123509 kiwi 2025-03-05T11:51:56Z https://live.paloaltonetworks.com/t5/general-topics/pan-os-10-2-preferred-release-vs-vulnerabilities/m-p/1222771#M123511 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/61214">@grenzi</a> ,</P> <P>&nbsp;</P> <P>That is a good point.&nbsp; I went ahead and upgraded to a fixed version since it is only a couple minor releases different.&nbsp; The only changes in the software will be vulnerability fixes.&nbsp; I don't know the exact process, but PANW always waits a while before marking a new release as preferred.&nbsp; I believe they look at the support cases for a little while to make sure there are no bad bugs in the code.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> Wed, 05 Mar 2025 12:06:37 GMT https://live.paloaltonetworks.com/t5/general-topics/pan-os-10-2-preferred-release-vs-vulnerabilities/m-p/1222771#M123511 TomYoung 2025-03-05T12:06:37Z https://live.paloaltonetworks.com/t5/general-topics/pan-os-10-2-preferred-release-vs-vulnerabilities/m-p/1222772#M123512 <P>Hi Kiwi, thank you. I know about the patch releases that fix this vulnerability; my only concern is that che currently preferred release is affected, so the solution is to install a "non preferred" release. Anyway I saw other similar questions on the community, for example: <A href="https://live.paloaltonetworks.com/t5/general-topics/cve-2025-0108/td-p/1220580" target="_blank">https://live.paloaltonetworks.com/t5/general-topics/cve-2025-0108/td-p/1220580</A></P> <P>&nbsp;</P> <P>I'm not afraid of upgrading, it's only a matter of, let's say, consistence <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Wed, 05 Mar 2025 12:12:45 GMT https://live.paloaltonetworks.com/t5/general-topics/pan-os-10-2-preferred-release-vs-vulnerabilities/m-p/1222772#M123512 grenzi 2025-03-05T12:12:45Z https://live.paloaltonetworks.com/t5/general-topics/pan-os-10-2-preferred-release-vs-vulnerabilities/m-p/1222790#M123514 <P>Hello,</P> <P>Here is what I do to see what gets patched etc. I first look a the vulnerability and see to what degree I am affected. If we look at CVE-2025-0108, the main issue is "<SPAN>an unauthenticated attacker with network access to the management web interface to bypass the authentication". Since I have my management interfaces protected by the PAN and policies allowed via user-id, its a very low impact for me. Meaning I only allow those who should/do have access already so not a big deal.</SPAN></P> <P>&nbsp;</P> <P><SPAN>So if there was not a preferred release that has the patch applied, I could wait since the likelihood of this being exploited is extremely low to nonexistent.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Happy to discuss how to protect the management interface if you wish. Maybe I'll write and article on it?</SPAN></P> <P>&nbsp;</P> <P><SPAN>Hope this helps.</SPAN></P> Wed, 05 Mar 2025 15:21:21 GMT https://live.paloaltonetworks.com/t5/general-topics/pan-os-10-2-preferred-release-vs-vulnerabilities/m-p/1222790#M123514 OtakarKlier 2025-03-05T15:21:21Z