PAN-OS 8.1.20 Addressed Issues
Focus
Focus

PAN-OS 8.1.20 Addressed Issues

Table of Contents
End-of-Life (EoL)

PAN-OS 8.1.20 Addressed Issues

PAN-OS® 8.1.20 addressed issues.
Issue ID
Description
WF500-5568
Fixed an issue where a firewall in FIPS mode running PAN-OS 8.1.18 or a later version failed to connect with a WildFire appliance in normal mode.
PAN-168921
Fixed an issue in active/active high availability (HA) configuration where traffic with complete packets was showing up as incomplete and being disconnected due to a non-session owner device closing the session prematurely.
PAN-167989
Fixed a timing issue between downloading and installing threads that occurred when Panorama pushed content updates and the firewall fetched content updates simultaneously.
PAN-166836
Fixed an issue where session failed due to resource unavailability.
PAN-166299
(PA-3000 Series firewalls only) Fixed an issue where Server Message Block (SMB) sessions failed due to resource unavailability.
PAN-166241
A fix was made to address an improper restriction of XML external identity (XXE) reference in the PAN-OS web interface that enabled an authenticated administrator to read any arbitrary file from the file system and send a specifically crafted request to the firewall that caused the service to crash (CVE-2021-3055).
PAN-164922
Fixed an issue on Panorama where a context switch to a managed firewall running PAN-OS 8.1.0 to PAN-OS 8.1.19 failed.
PAN-164846
Fixed an issue where packet buffers were depleted.
PAN-164422
(VM-Series firewalls only) A fix was made to address improper access control that enabled an attacker with authenticated access to GlobalProtect portals and GlobalProtect gateways to connect to the EC2 instance metadata endpoint for VM-Series firewalls hosted on Amazon Web Services (AWS) (CVE-2021-3062).
PAN-160744
Fixed an issue where the negative time difference between the dataplane and the management plane during the client certificate info check prevented the GlobalProtect client from connecting to the GlobalProtect gateway with the following error message: Required client certificate not found.
PAN-160708
Fixed an issue where the dataplane restarted after configuring a a deny_all policy.
PAN-158723
A fix was made to address an improper handling of exception conditions in the PAN-OS dataplane that enabled an unauthenticated network-based attacker to send specifically crafted traffic through the firewall that caused the service to crash (CVE-2021-3053).
PAN-158262
A buffer overflow vulnerability in the Telnet-based administrative management service included with PAN-OS software allows remote attackers to execute arbitrary code.
A fix was made to address a buffer overflow vulnerability in the Telnet-based administrative management service included with PAN-OS that allowed a remote attacker to execute arbitrary code (CVE-2020-10188).
PAN-157834
Fixed an issue with missing zone entries in CSV or PDF export files.
PAN-157730
Fixed an issue where, after a firewall reboot, a commit or auto-commit operation failed with the following error message: ID population failed. This issue occurred because the Phase1 ID assignment failure did not trigger an idmgr reset.
PAN-157632
Fixed an intermittent issue where the firewall dropped GPRS Tunneling Protocol (GTP-U) traffic with the message TEID=0x00000000.
PAN-157346
Fixed an issue where HIP custom checks for plist failed when the HIP exclusion category were configured under (Mobile User Template > Network > GlobalProtect > Portal<portal-config> > Agent<agent-config> > HIP Data Collection).
PAN-156225
(PA-3200 Series firewalls only) Fixed an issue where the HA1-B port remained down after an upgrade from PAN-OS 9.1.4 to later 9.1 releases and from PAN-OS 10.0.0 to PAN-OS 10.0.4.
PAN-155532
Fixed an issue where the mgmtsrv process restarted due to a missing protective check around access to potentially NULL pointers.
PAN-154526
Fixed an issue where a process (genindex.sh) caused high memory usage on the management plane. Due to the resulting out-of-memory (OOM) condition, multiple processes stopped responding.
PAN-154376
Fixed an issue where a process (mgmtsrvr) stopped responding and was inaccessible through SSH or HTTPS until the firewall was power cycled.
PAN-153908
(PA-5000 Series firewalls only) Fixed an issue where the show vpn flow CLI command displayed incorrect details.
PAN-153382
Fixed an issue where the per-minute resource monitor was three minutes behind.
PAN-153261
Fixed an issue where not all fragmented packets were transmitted, which caused increased packet buffer usage.
PAN-153107
Fixed an issue where a dataplane process stopped responding while processing fragmented traffic on GTP-U tunnels.
PAN-151120
Fixed an issue where the SYN-ACK packet matched stale entries in the session flow table and was dropped on the firewall with the following error message: Inactive flow state 0.
PAN-150337
A fix was made to address a reflect cross-site scripting (XSS) vulnerability in the PAN-OS web interface that enabled an authenticated network-based attacker to mislead another authenticated PAN-OS administrator to click on a specially crafted link that performed arbitrary actions in the web interface as the targeted authenticated administrator (CVE-2021-3052).
PAN-149501
A fix was made to address a memory corruption vulnerability in the GlobalProtect Clientless VPN that enabled an authenticated attacker to execute arbitrary code with root user privileges during SAML authentication (CVE-2021-3056).
PAN-147221
Improved QoS scheduling for Bidirectional Forwarding Detection (BFD) and BGP to address the internal handling of BGP and BFD packets under high resource constraints
PAN-146250
Fixed an issue where, in two separate but simultaneous sessions, the same software packet buffer was owned and processed.
PAN-146107
Fixed an issue where memory allocation failure caused a process (pan_comm) to restart several times, which caused the firewall to restart.
PAN-143426
Fixed a memory leak issue where a process (devsrvr) restarted due to the memory limit being exceeded.
PAN-138727
A fix was made to address a time-of-check to time-of-use (TOCTOU) race condition in the PAN-OS web interface that enabled an authenticated administrator with permission to upload plugins to execute arbitrary code with root user privileges (CVE-2021-3054).
PAN-128634
A debug command was added to provide more verbose output when troubleshooting packet processing on the firewall.
PAN-120013
Fixed an issue where secure communication settings were incorrectly synchronized between Panorama appliances in an HA configuration.
PAN-119922
Fixed an issue in Panorama where the show config diff command was not working correctly and produced unexpected output.
PAN-118667
Fixed an issue where firewall policy configurations displayed [object Object] instead of the object names.
PAN-115541
Fixed an issue where removing a cipher from an SSL/TLS profile did not take effect if it was attached to the management interface.
PAN-110429
Fixed an issue with firewalls in an HA configuration where multiple all_pktproc processes stopped responding due to missing heartbeats, which caused service outages.