- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
08-11-2021 10:34 AM
Thought I would just put this notice out since I know a lot of people don't actually subscribe to security advisories directly. If you haven't already, I highly recommend that you sign up for notifications via https://security.paloaltonetworks.com/ and the 'Subscribe' feature at the top right.
As a general statement, you should ensure that you are on a respective PAN-OS build that is free of any published vulnerabilities or have compensating controls in-place to protect your environment from vulnerabilities.
CVE-2021-3050: PAN-OS: Command Injection Vulnerability in Web Interface.
CVSS: 8.8
An authenticated administrator can execute arbitrary OS commands to escalate privileges.
Version | Unaffected |
PAN-OS 10.1 | >= 10.1.2 |
PAN-OS 10.0 | >= 10.0.8 |
PAN-OS 9.1 | >= 9.1.11 |
PAN-OS 9.0 | >= 9.0.15 |
CVE-2021-3046: PAN-OS: Improper SAML Authentication Vulnerability in GlobalProtect Portal
CVSS: 6.8
AN improper authentication vulnerability exists that enables a SAMB authenticated attacker to impersonate any other user in the GlobalProtect Portal and GlobalProtect Gateway when they are configured to use SAML authentication.
Version | Unaffected Version |
PAN-OS 10.1 | 10.1.* (not affected by Vuln) |
PAN-OS 10.0 | >= 10.0.5 |
PAN-OS 9.1 | >= 9.1.9 |
PAN-OS 9.0 | >= 9.0.14 |
PAN-OS 8.1 | >= 8.1.19 |
CVE-2021-3048: PAN-OS: Invalid URLs in an EDL can lead to firewall outage
CVSS: 5.9
Certain invalid URL entries contained in an EDL cause the devsrvr to stop responding. This condition causes subsequent commits to fail and prevents administrators from performing commits and configuration changes, however the firewall remains otherwise functional. If the firewall restarts, it results in a DoS condition and the firewall stops processing traffic.
Version | Unaffected |
PAN-OS 10.1 | 10.1.* (Not affected by vuln) |
PAN-OS 10.0 | >= 10.0.5 |
PAN-OS 9.1 | >= 9.1.9 |
PAN-OS 9.0 | >= 9.0.14 |
PAN-OS 8.1 | 8.1.* (Not affected by vuln) |
CVE-2021-3045: PAN-OS: OS Command Argument Injection in Web Interface
CVSS: 4.9
An OS command injection vulnerability exists in the web interface that enables an authenticated administrator to read any arbitrary file from the file system.
Version | Unaffected |
PAN-OS 10.1 | 10.1.* (Not affected by vuln) |
PAN-OS 10.0 | 10.0.* (Not affected by vuln) |
PAN-OS 9.1 | >= 9.1.10 |
PAN-OS 9.0 | >= 9.0.14 |
PAN-OS 8.1 | >= 8.1.19 |
CVE-2021-3047: PAN-OS: Weak Cryptography used in web interface authentication
CVSS: 4.2
A cryptographically weak pseudo-random number generator is used during authentication to the web interface. This enables an authenticated attacker, with the capability to observe their own authentication secrets over a long duration on the PAN-OS appliance, to impersonate another authentication web interface administrator's session.
Version | Unaffected |
PAN-OS 10.1 | 10.1.* (Not affected by vuln) |
PAN-OS 10.0 | >= 10.0.4 |
PAN-OS 9.1 | >= 9.1.10 |
PAN-OS 9.0 | >= 9.0.14 |
PAN-OS 8.1 | >= 8.1.19 |
CVE-2021-26701: XSOAR: Impact of PowerShell Vulnerability CVE-2021-26701
CVSS: 0
XSOAR maintains docker images with PowerShell available for customers to use. The base image was updated on May 19,2021 with PowerShell version 7.1.3. PAN urges customers to upgrade their docker images to a version with the tag 7.1.3 or higher to protect against PowerShell vulnerability CVE-2021-26701.
08-12-2021 02:34 AM
Great info ! Thanks for the heads up @BPry !
08-12-2021 04:59 PM
I didn’t include it in my summary, but PAN actually includes guidance in the official advisory. They intend to have it available in September.
We intend to fix this issue in PAN-OS 9.0.15 (ETA November 2021), PAN-OS 9.1.11 (ETA September 2021), PAN-OS 10.0.8 (ETA September 2021), PAN-OS 10.1.2 (ETA September 2021) and all later PAN-OS versions.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!