Palo Alto Networks Security Advisories [30-August-2017]

With the release of PAN-OS 7.1.12 Palo Alto Networks has published 2 new and 1 updated Security Advisory addressing 3 security issues.

New Security Advisories

PAN-SA-2017-0023 - Cross-Site Scripting in PAN-OS

A vulnerability exists in PAN-OS’s GlobalProtect internal and external gateway interface, that could allow for a cross-site scripting (XSS) attack. PAN-OS does not properly validate specific request parameters.

• Medium Severity
• Fixed in PAN-OS 6.1.18, PAN-OS 7.0.17, PAN-OS 7.1.12 and PAN-OS 8.0.3
• CVE-2017-12416

PAN-SA-2017-0024 - XML External Entity (XXE) in PAN-OS 

A vulnerability exists in PAN-OS’s GlobalProtect internal and external gateway interface, that could allow for XML External Entity (XXE) attack. PAN-OS does not properly parse XML input.

• High Severity
• Fixed in PAN-OS 6.1.18, PAN-OS 7.0.17, PAN-OS 7.1.12 and PAN-OS 8.0.3
• CVE-2017-9458

Updated Security Advisory

PAN-SA-2017-0022 - NTP Vulnerability

The Network Time Protocol (NTP) library has been found to contain a vulnerability CVE-2017-6460. Palo Alto Networks software makes use of the vulnerable library and may be affected. This issue only affects the management plane of the firewall.

• Low Severity
• Fixed in PAN-OS 7.1.12 and PAN-OS 8.0.4
• Fixes for 6.1 and 7.0 will be released on a future date
• CVE-2017-6460

Details of the issues, affected versions, and any mitigation information can be found in the Security Advisory.



Please visit our Security Advisories website to learn more at https://securityadvisories.paloaltonetworks.com/



If you have questions, please contact support https://www.paloaltonetworks.com/company/contact-support



Regards


Product Security Incident Response Team
Palo Alto Networks

Updated August-31-2017 - Security Advisories updated to clarify that both the Internal and external interfaces of GlobalProtect are affected by issues listed in PAN-SA-2017-0023 and PAN-SA-2017-0024