01-29-2021 11:27 PM
Hi Team,
We are getting following vulnerabilities on one of our PA Firewall. Kindly suggest the next PoA regarding mentioned vulnerabilities.
Plugin | Plugin Name | Family | Severity | IP Address | Type | ||
84502 | HSTS Missing From HTTPS Server | Web Servers | Medium | x.x.x.x | Palo Alto | ||
136929 | JQuery 1.2 < 3.5.0 Multiple XSS | CGI abuses : XSS | Medium | x.x.x.x | Palo Alto |
Kindly review and share us with your inputs. Awaiting for response !!
Best Regards,
Sahul Hameed
02-02-2021 03:05 AM
Hi,
I am wondering if you could share a little more info,
What scanner is this ?
Am I correct in assuming you are scanning the mgmt of the PA ?
What Version of code is your PA running ?
02-03-2021 01:49 AM
@laurence64-- Please find the answer for your queries below.
What scanner is this ? -- Ans.. Nessus Vulnerability Scanner
Am I correct in assuming you are scanning the mgmt of the PA ? Ans.. Yes, scanned the MGMT interface only
What Version of code is your PA running ? Ans.. PAN OS 9.1.3-h1
Do let us know if you need any other information. Awaiting for your reply !!
Best Regards,
Sahul Hameed
02-03-2021 12:40 PM
HSTS issue was resolved in 9.1.5
JQuery is targeted to be resolved in 9.1.8
02-04-2021 01:11 AM
@mivaldiHi,
Will try by upgrading the firewall to 9.1.5 to see whether it helps us on this.
Also can you please share me with the reference document that points this point that HSTS issue was resolved in 9.1.5 and JQuery is targeted to resolved in 9.1.8 software code. This will help us for reference.
Best Regards,
Sahul Hameed
02-04-2021 10:28 AM
The release notes for 9.1.5 didn't include it but it was issue PAN-110168. I tested it in the lab and I actually see it was fixed earlier than stated in our notes (I see it fixed in 9.1.4, where the "Strict-Transport-Security: max-age=31536000" header is included).
For jQuery the issue id is PAN-147254 and the fix has not been released yet, however, we released a Security Advisory letting our customers know that even though the version of jQuery is outdated, the conditions required for exploiting this vulnerability in jQuery do not exist in PAN-OS. You can find this information in https://security.paloaltonetworks.com/PAN-SA-2020-0007.
10-19-2021 10:26 AM
Is there a fix for this in the 8.1.x train? or are we required to upgrade to 9.1.x?
10-19-2021 05:45 PM
PAN-110168 was fixed in PAN-OS 8.1.9. It can be found in the release note.
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-release-notes/pan-os-8-1-addressed-issues/pan-os...
PAN-147254: jQuery was upgraded to 3.5.1 in PAN-OS 8.1.19.
At this time, OSS listing still shows 3.4.1. Palo Alto Networks is working on the documentation.
https://docs.paloaltonetworks.com/oss-listings/pan-os-oss-listings/pan-os-8-1-open-source-software-o...
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
