This PAN-OS® 8.0.6-h3 release includes fixes for four
important issues, including the fix that enables all Palo Alto Networks® customers
running a PAN-OS 8.0 release to immediately protect their networks
from the post-authentication command injection vulnerability covered
in CVE-2017-15940 (PAN-81892;
see PAN-SA-2017-0028 for more details). Note
that the security advisory originally misstated that this vulnerability
issue (PAN-81892) was addressed in the PAN-OS 8.0.6 release. We
have updated the security advisory with the correct information.
We strongly recommend that you upgrade to PAN-OS 8.0.6-h3 or a later
release to fix the vulnerability reported in CVE-2017-15940.
Fixed an issue where PAN-OS removed the
IP address-to-username mappings of end users who logged in to a
GlobalProtect™ internal gateway within a second of logging out from
Fixed an issue where firewalls dropped TCP/UDP-based
application traffic over a GlobalProtect VPN tunnel in high latency
Fixed an issue on Panorama™
M-Series appliances where the configd process stopped responding
operation in which Panorama pushed
configuration changes to Collector Groups.
A security-related fix was made to prevent
a command injection condition through the firewall web interface