Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2019.0039 PAN-OS Management Web Interface: Cross-site scripting 25 January 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: PAN-OS Management Web Interface Operating System: Network Appliance PAN-OS Impact/Access: Cross-site Scripting -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2019-1566 Member content until: Sunday, February 24 2019 OVERVIEW Palo Alto Networks has addressed a Cross-Site Scripting (XSS) vulnerability in PAN-OS Management Web Interface. The following versions of PAN-OS Management Web Interface are affected: o PAN-OS 7.1.21 and earlier o PAN-OS 8.0.14 and earlier o PAN-OS 8.1.5 and earlier [1] IMPACT The vendor has provided the following details of the impact: "Severity: High Successful exploitation of this issue may allow an unauthenticated attacker to inject arbitrary JavaScript or HTML." [1] MITIGATION The following updates have been made available to resolve this issue: o PAN-OS 7.1.22 and later o PAN-OS 8.0.15 and later o PAN-OS 8.1.6 and later [1] Workarounds Please refer to the PAN-OS Management Interface best practices guidelines which can be used to minimise exposure from potential attackers. [2] REFERENCES [1] Cross-Site Scripting (XSS) in PAN-OS Management Web Interface https://securityadvisories.paloaltonetworks.com/Home/Detail/140 [2] Best Practice Guidelines for PAN-OS Management Interface https://www.paloaltonetworks.com/documentation/81/pan-os/pan-os/getting-started/best-practices-for-securing-administrative-access AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXEqE7WaOgq3Tt24GAQh6uhAA0zBMTzM57gj6JN0j/+QYPDxiGvuahrPq 0ufxkr0ecNtJL+B0bLY8UUaGEjGoDGz2m5R4lt/CApeksnYWUFqxTmQ8aKLYmvcy YzktWfYdEJsoKwhLIbO5xSE3DkDKg+Cz0OmGc70veWB+HzI2eco4sfPJ7iILNfFz v1V+mlyIKZJos518wBJ4Ni1wuIP6QkvrZngH+5aI4mjTY3GaWVeicwEHIeYRGwy6 7HiqRNIO2Un+UlsniivAs1XP8uUvV4cqbsGNScTNtzV9tDqZ9W7ilHZvOCX54VhB kPesAtHrehbOxvAr4NpU/Rndr2Ir9ehwQgscmbRnCtjkwIl+08RsUuS26nJjGIhp eWRnTW20QXHdI8vGM4bOc04yG9zOQc0zdtwoW+QRYVm5Ijm4fy4FT8reLByu7+Nd q2AogmFGb1dN2B1cHv1CTphLMVS3fv2sR//dWSUAKXvCucXwDUuRCrhzd1PCLaWR I7HNiFtVr4F1VDl5eU7NWQtuTl67fHHvuHRomZdCcmFED0u4gw1H05zPIk4yCMJZ KRRNmIBUqOYOZukeUmBO44ZikxVdqQB9TKCmpNcdEaaGN7Nz1JACsSJ3nIZQlM5s Ux1z/ROPyy4sG8kFIpcb2f+fAUOyW2a4mVf7LSNUN3GPVXlvv1rFoRtOCzXECn0b kbKqYVAxUtY= =JzoC -----END PGP SIGNATURE-----