With the release of PAN-OS 7.1.12 Palo Alto Networks has published 2 new and 1 updated Security Advisory addressing 3 security issues.
New Security Advisories
PAN-SA-2017-0023 - Cross-Site Scripting in PAN-OS
A vulnerability exists in PAN-OS’s GlobalProtect internal and external gateway interface, that could allow for a cross-site scripting (XSS) attack. PAN-OS does not properly validate specific request parameters.
- Medium Severity
- Fixed in PAN-OS 6.1.18, PAN-OS 7.0.17, PAN-OS 7.1.12 and PAN-OS 8.0.3
- CVE-2017-12416
PAN-SA-2017-0024 - XML External Entity (XXE) in PAN-OS
A vulnerability exists in PAN-OS’s GlobalProtect internal and external gateway interface, that could allow for XML External Entity (XXE) attack. PAN-OS does not properly parse XML input.
- High Severity
- Fixed in PAN-OS 6.1.18, PAN-OS 7.0.17, PAN-OS 7.1.12 and PAN-OS 8.0.3
- CVE-2017-9458
Updated Security Advisory
PAN-SA-2017-0022 - NTP Vulnerability
The Network Time Protocol (NTP) library has been found to contain a vulnerability CVE-2017-6460. Palo Alto Networks software makes use of the vulnerable library and may be affected. This issue only affects the management plane of the firewall.
- Low Severity
- Fixed in PAN-OS 7.1.12 and PAN-OS 8.0.4
- Fixes for 6.1 and 7.0 will be released on a future date
- CVE-2017-6460
Details of the issues, affected versions, and any mitigation information can be found in the Security Advisory.
Please visit our Security Advisories website to learn more at https://securityadvisories.paloaltonetworks.com/
If you have questions, please contact support https://www.paloaltonetworks.com/company/contact-support
Regards
Product Security Incident Response Team
Palo Alto Networks
Updated August-31-2017 - Security Advisories updated to clarify that both the Internal and external interfaces of GlobalProtect are affected by issues listed in PAN-SA-2017-0023 and PAN-SA-2017-0024