Fixed an issue where a firewall in FIPS mode running PAN-OS 8.1.18 or a later version failed to connect with a WildFire appliance in normal mode.

Fixed an issue in active/active high availability (HA) configuration where traffic with complete packets was showing up as incomplete and being disconnected due to a non-session owner device closing the session prematurely.

Fixed a timing issue between downloading and installing threads that occurred when Panorama pushed content updates and the firewall fetched content updates simultaneously.

Fixed an issue where session failed due to resource unavailability.

(PA-3000 Series firewalls only) Fixed an issue where Server Message Block (SMB) sessions failed due to resource unavailability.

A fix was made to address an improper restriction of XML external identity (XXE) reference in the PAN-OS web interface that enabled an authenticated administrator to read any arbitrary file from the file system and send a specifically crafted request to the firewall that caused the service to crash (CVE-2021-3055).

Fixed an issue on Panorama where a context switch to a managed firewall running PAN-OS 8.1.0 to PAN-OS 8.1.19 failed.

Fixed an issue where packet buffers were depleted.

(VM-Series firewalls only) A fix was made to address improper access control that enabled an attacker with authenticated access to GlobalProtect portals and GlobalProtect gateways to connect to the EC2 instance metadata endpoint for VM-Series firewalls hosted on Amazon Web Services (AWS) (CVE-2021-3062).

Fixed an issue where the negative time difference between the dataplane and the management plane during the client certificate info check prevented the GlobalProtect client from connecting to the GlobalProtect gateway with the following error message: Required client certificate not found.

Fixed an issue where the dataplane restarted after configuring a a deny_all policy.

A fix was made to address an improper handling of exception conditions in the PAN-OS dataplane that enabled an unauthenticated network-based attacker to send specifically crafted traffic through the firewall that caused the service to crash (CVE-2021-3053).

A buffer overflow vulnerability in the Telnet-based administrative management service included with PAN-OS software allows remote attackers to execute arbitrary code.

A fix was made to address a buffer overflow vulnerability in the Telnet-based administrative management service included with PAN-OS that allowed a remote attacker to execute arbitrary code (CVE-2020-10188).

Fixed an issue with missing zone entries in CSV or PDF export files.

Fixed an issue where, after a firewall reboot, a commit or auto-commit operation failed with the following error message: ID population failed. This issue occurred because the Phase1 ID assignment failure did not trigger an idmgr reset.

Fixed an intermittent issue where the firewall dropped GPRS Tunneling Protocol (GTP-U) traffic with the message TEID=0x00000000.

Fixed an issue where HIP custom checks for plist failed when the HIP exclusion category were configured under (Mobile User Template > Network > GlobalProtect > Portal<portal-config> > Agent<agent-config> > HIP Data Collection).

(PA-3200 Series firewalls only) Fixed an issue where the HA1-B port remained down after an upgrade from PAN-OS 9.1.4 to later 9.1 releases and from PAN-OS 10.0.0 to PAN-OS 10.0.4.

Fixed an issue where the mgmtsrv process restarted due to a missing protective check around access to potentially NULL pointers.

Fixed an issue where a process (genindex.sh) caused high memory usage on the management plane. Due to the resulting out-of-memory (OOM) condition, multiple processes stopped responding.

Fixed an issue where a process (mgmtsrvr) stopped responding and was inaccessible through SSH or HTTPS until the firewall was power cycled.

(PA-5000 Series firewalls only) Fixed an issue where the show vpn flow CLI command displayed incorrect details.

Fixed an issue where the per-minute resource monitor was three minutes behind.

Fixed an issue where not all fragmented packets were transmitted, which caused increased packet buffer usage.

Fixed an issue where a dataplane process stopped responding while processing fragmented traffic on GTP-U tunnels.

Fixed an issue where the SYN-ACK packet matched stale entries in the session flow table and was dropped on the firewall with the following error message: Inactive flow state 0.

A fix was made to address a reflect cross-site scripting (XSS) vulnerability in the PAN-OS web interface that enabled an authenticated network-based attacker to mislead another authenticated PAN-OS administrator to click on a specially crafted link that performed arbitrary actions in the web interface as the targeted authenticated administrator (CVE-2021-3052).

A fix was made to address a memory corruption vulnerability in the GlobalProtect Clientless VPN that enabled an authenticated attacker to execute arbitrary code with root user privileges during SAML authentication (CVE-2021-3056).

Improved QoS scheduling for Bidirectional Forwarding Detection (BFD) and BGP to address the internal handling of BGP and BFD packets under high resource constraints

Fixed an issue where, in two separate but simultaneous sessions, the same software packet buffer was owned and processed.

Fixed an issue where memory allocation failure caused a process (pan_comm) to restart several times, which caused the firewall to restart.

Fixed a memory leak issue where a process (devsrvr) restarted due to the memory limit being exceeded.

A fix was made to address a time-of-check to time-of-use (TOCTOU) race condition in the PAN-OS web interface that enabled an authenticated administrator with permission to upload plugins to execute arbitrary code with root user privileges (CVE-2021-3054).

A debug command was added to provide more verbose output when troubleshooting packet processing on the firewall.

Fixed an issue where secure communication settings were incorrectly synchronized between Panorama appliances in an HA configuration.

Fixed an issue in Panorama where the show config diff command was not working correctly and produced unexpected output.

Fixed an issue where firewall policy configurations displayed [object Object] instead of the object names.

Fixed an issue where removing a cipher from an SSL/TLS profile did not take effect if it was attached to the management interface.