With the release of PAN-OS 7.1.12 Palo Alto Networks has published 2 new and 1 updated Security Advisory addressing 3 security issues.
New Security Advisories
PAN-SA-2017-0023 - Cross-Site Scripting in PAN-OS
A vulnerability exists in PAN-OS’s GlobalProtect internal and external gateway interface, that could allow for a cross-site scripting (XSS) attack. PAN-OS does not properly validate specific request parameters.
PAN-SA-2017-0024 - XML External Entity (XXE) in PAN-OS
A vulnerability exists in PAN-OS’s GlobalProtect internal and external gateway interface, that could allow for XML External Entity (XXE) attack. PAN-OS does not properly parse XML input.
Updated Security Advisory
PAN-SA-2017-0022 - NTP Vulnerability
The Network Time Protocol (NTP) library has been found to contain a vulnerability CVE-2017-6460. Palo Alto Networks software makes use of the vulnerable library and may be affected. This issue only affects the management plane of the firewall.
Details of the issues, affected versions, and any mitigation information can be found in the Security Advisory.
Please visit our Security Advisories website to learn more at https://securityadvisories.paloaltonetworks.com/
If you have questions, please contact support https://www.paloaltonetworks.com/company/contact-support
Product Security Incident Response Team
Palo Alto Networks
Updated August-31-2017 - Security Advisories updated to clarify that both the Internal and external interfaces of GlobalProtect are affected by issues listed in PAN-SA-2017-0023 and PAN-SA-2017-0024