We are getting following vulnerabilities on one of our PA Firewall. Kindly suggest the next PoA regarding mentioned vulnerabilities.
HSTS Missing From HTTPS Server
JQuery 1.2 < 3.5.0 Multiple XSS
CGI abuses : XSS
Kindly review and share us with your inputs. Awaiting for response !!
@laurence64-- Please find the answer for your queries below.
What scanner is this ? -- Ans.. Nessus Vulnerability Scanner
Am I correct in assuming you are scanning the mgmt of the PA ? Ans.. Yes, scanned the MGMT interface only
What Version of code is your PA running ? Ans.. PAN OS 9.1.3-h1
Do let us know if you need any other information. Awaiting for your reply !!
Will try by upgrading the firewall to 9.1.5 to see whether it helps us on this.
Also can you please share me with the reference document that points this point that HSTS issue was resolved in 9.1.5 and JQuery is targeted to resolved in 9.1.8 software code. This will help us for reference.
The release notes for 9.1.5 didn't include it but it was issue PAN-110168. I tested it in the lab and I actually see it was fixed earlier than stated in our notes (I see it fixed in 9.1.4, where the "Strict-Transport-Security: max-age=31536000" header is included).
For jQuery the issue id is PAN-147254 and the fix has not been released yet, however, we released a Security Advisory letting our customers know that even though the version of jQuery is outdated, the conditions required for exploiting this vulnerability in jQuery do not exist in PAN-OS. You can find this information in https://security.paloaltonetworks.com/PAN-SA-2020-0007.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!