Vulnerability found on Firewall Need to address

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Vulnerability found on Firewall Need to address

L3 Networker

Hi Team,

 

We are getting following vulnerabilities on one of our PA Firewall. Kindly suggest the next PoA regarding mentioned vulnerabilities.

 

Plugin

Plugin Name

Family

Severity

IP Address

Type

  

84502

HSTS Missing From HTTPS Server

Web Servers

Medium

x.x.x.x

Palo Alto

  

136929

JQuery 1.2 < 3.5.0 Multiple XSS

CGI abuses : XSS

Medium

x.x.x.x

Palo Alto

  

 

Kindly review and share us with your inputs. Awaiting for response !!

 

Best Regards,

Sahul Hameed

7 REPLIES 7

L4 Transporter

Hi,

 

 

I am wondering if you could share a little more info,

 

What scanner is this ?

Am I correct in assuming you are scanning the mgmt  of the PA ?

What Version of code is your PA running ?

PCCSA PCNSA PCNSE PCSAE
Mode44 LTD Palo Alto Consultants

@laurence64-- Please find the answer for your queries below.

 

What scanner is this ? -- Ans.. Nessus Vulnerability Scanner

Am I correct in assuming you are scanning the mgmt of the PA ? Ans.. Yes, scanned the MGMT interface only

What Version of code is your PA running ? Ans.. PAN OS 9.1.3-h1

 

Do let us know if you need any other information. Awaiting for your reply !!

 

Best Regards,

Sahul Hameed

 

 

 

HSTS issue was resolved in 9.1.5

JQuery is targeted to be resolved in 9.1.8

@mivaldiHi,

 

Will try by upgrading the firewall to 9.1.5 to see whether it helps us on this.

 

Also can you please share me with the reference document that points this point that HSTS issue was resolved in 9.1.5 and JQuery is targeted to resolved in 9.1.8 software code. This will help us for reference.

 

Best Regards,

Sahul Hameed

The release notes for 9.1.5 didn't include it but it was issue PAN-110168. I tested it in the lab and I actually see it was fixed earlier than stated in our notes (I see it fixed in 9.1.4, where the "Strict-Transport-Security: max-age=31536000" header is included).

 

For jQuery the issue id is PAN-147254 and the fix has not been released yet, however, we released a Security Advisory letting our customers know that even though the version of jQuery is outdated, the conditions required for exploiting this vulnerability in jQuery do not exist in PAN-OS. You can find this information in https://security.paloaltonetworks.com/PAN-SA-2020-0007.

 

 

L0 Member

Is there a fix for this in the 8.1.x train? or are we required to upgrade to 9.1.x?

PAN-110168 was fixed in PAN-OS 8.1.9. It can be found in the release note.
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-release-notes/pan-os-8-1-addressed-issues/pan-os...

 

PAN-147254: jQuery was upgraded to 3.5.1 in PAN-OS 8.1.19.
At this time, OSS listing still shows 3.4.1. Palo Alto Networks is working on the documentation.
https://docs.paloaltonetworks.com/oss-listings/pan-os-oss-listings/pan-os-8-1-open-source-software-o...

 

  • 5864 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!