August 31, 2017

Palo Alto Networks Publishes 2 New and 1 Updated Security Advisory Addressing 3 Security Issues

New Security Advisories 

PAN-SA-2017-0023 – Cross-Site Scripting in PAN-OS 

A vulnerability exists in PAN-OS’s GlobalProtect external interface that could allow for a cross-site scripting (XSS) attack. PAN-OS does not properly validate specific request parameters

 * Medium Severity

 * Fixed in PAN-OS 6.1.18, PAN-OS 7.0.17, PAN-OS 7.1.12 and PAN-OS 8.0.3

 * CVE-2017-12416

PAN-SA-2017-0024 – XML External Entity (XXE) in PAN-OS 

A vulnerability exists in PAN-OS’s GlobalProtect external interface that could allow for XML External Entity (XXE) attack. PAN-OS does not properly parse XML input.

 * High Severity

 * Fixed in PAN-OS 6.1.18, PAN-OS 7.0.17, PAN-OS 7.1.12 and PAN-OS 8.0.3

 * CVE-2017-9458

Updated Security Advisory

PAN-SA-2017-0022 – NTP Vulnerability

The Network Time Protocol (NTP) library has been found to contain a vulnerability CVE-2017-6460. Palo Alto Networks software makes use of the vulnerable library and may be affected. This issue only affects the management plane of the firewall.

 * Low Severity

 * Fixed in PAN-OS 7.1.12 and PAN-OS 8.0.4

 * Fixes for 6.1 and 7.0 will be released on a future date

 * CVE-2017-6460 

Details of the issues, affected versions, and any mitigation information can be found in the Security Advisory at https://securityadvisories.paloaltonetworks.com/

Herjavec Group circulates Palo Alto Networks Security Advisories as this notification warrants attention and may have significance to your enterprise network environment. If the following advisory is applicable to your environment, Herjavec Group recommends your IT team review the technical details included and monitor your environment for any susceptible systems. Herjavec Group’s analysts are working with Palo Alto to apply detection and mitigation strategies where appropriate. For Managed Services customers, our Managed Services team will engage with the appropriate technical contacts in your respective organizations directly to provide alerts, escalations, actions and or reports based our service agreement with you. If you have questions or concerns, please engage your Herjavec Group account representative directly or contact Herjavec Group


About Herjavec Group

Dynamic IT entrepreneur Robert Herjavec founded Herjavec Group in 2003 to provide cybersecurity products and services to enterprise organizations. Herjavec Group delivers SOC 2 Type 2 certified managed security services supported by state-of-the-art, PCI compliant, Security Operations Centers, operated 24/7/365 by certified security professionals. This expertise is coupled with leadership positions across a wide range of functions including consulting, professional services & incident response. Herjavec Group has offices globally including across the United States, the United Kingdom, and Canada. For more information, visit www.herjavecgroup.com.

Stay Informed 

  rhsm-3  Follow us on Twitter

  rhsm-2  Connect with us on LinkedIn

 

*By selecting one of the communications above, you consent to Herjavec Group
 sending commercial electronic messages to you for marketing purposes, including information about the products, services and events selected.