-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2019.0039
           PAN-OS Management Web Interface: Cross-site scripting
                              25 January 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              PAN-OS Management Web Interface
Operating System:     Network Appliance
                      PAN-OS
Impact/Access:        Cross-site Scripting -- Remote/Unauthenticated
Resolution:           Patch/Upgrade
CVE Names:            CVE-2019-1566  
Member content until: Sunday, February 24 2019

OVERVIEW

        Palo Alto Networks has addressed a Cross-Site Scripting (XSS)
        vulnerability in PAN-OS Management Web Interface.
        
        
        The following versions of PAN-OS Management Web
        Interface are affected:
        
        o PAN-OS 7.1.21 and earlier
        o PAN-OS 8.0.14 and earlier
        o PAN-OS 8.1.5 and earlier [1]


IMPACT

        The vendor has provided the following details of the impact:
        
        "Severity: High
        
        Successful exploitation of this issue may allow an unauthenticated attacker to
        inject arbitrary JavaScript or HTML." [1]


MITIGATION

        The following updates have been made available to resolve this issue:
        
        o PAN-OS 7.1.22 and later
        o PAN-OS 8.0.15 and later
        o PAN-OS 8.1.6 and later [1]
        
        Workarounds
        Please refer to the PAN-OS Management Interface best practices
        guidelines which can be used to minimise exposure from potential
        attackers. [2]


REFERENCES

        [1] Cross-Site Scripting (XSS) in PAN-OS Management Web Interface
            https://securityadvisories.paloaltonetworks.com/Home/Detail/140

        [2] Best Practice Guidelines for PAN-OS Management Interface
             https://www.paloaltonetworks.com/documentation/81/pan-os/pan-os/getting-started/best-practices-for-securing-administrative-access

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXEqE7WaOgq3Tt24GAQh6uhAA0zBMTzM57gj6JN0j/+QYPDxiGvuahrPq
0ufxkr0ecNtJL+B0bLY8UUaGEjGoDGz2m5R4lt/CApeksnYWUFqxTmQ8aKLYmvcy
YzktWfYdEJsoKwhLIbO5xSE3DkDKg+Cz0OmGc70veWB+HzI2eco4sfPJ7iILNfFz
v1V+mlyIKZJos518wBJ4Ni1wuIP6QkvrZngH+5aI4mjTY3GaWVeicwEHIeYRGwy6
7HiqRNIO2Un+UlsniivAs1XP8uUvV4cqbsGNScTNtzV9tDqZ9W7ilHZvOCX54VhB
kPesAtHrehbOxvAr4NpU/Rndr2Ir9ehwQgscmbRnCtjkwIl+08RsUuS26nJjGIhp
eWRnTW20QXHdI8vGM4bOc04yG9zOQc0zdtwoW+QRYVm5Ijm4fy4FT8reLByu7+Nd
q2AogmFGb1dN2B1cHv1CTphLMVS3fv2sR//dWSUAKXvCucXwDUuRCrhzd1PCLaWR
I7HNiFtVr4F1VDl5eU7NWQtuTl67fHHvuHRomZdCcmFED0u4gw1H05zPIk4yCMJZ
KRRNmIBUqOYOZukeUmBO44ZikxVdqQB9TKCmpNcdEaaGN7Nz1JACsSJ3nIZQlM5s
Ux1z/ROPyy4sG8kFIpcb2f+fAUOyW2a4mVf7LSNUN3GPVXlvv1rFoRtOCzXECn0b
kbKqYVAxUtY=
=JzoC
-----END PGP SIGNATURE-----