PAN-OS 9.0.14 Addressed Issues
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
-
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
End-of-Life (EoL)
PAN-OS 9.0.14 Addressed Issues
PAN-OS® 9.0.14 addressed issues.
Issue ID | Description |
---|---|
WF500-5568 | Fixed an issue where a firewall in FIPS
mode running PAN-OS 8.1.18 or a later version failed to connect
with a WildFire appliance in normal mode. |
WF500-5513 | Fixed an issue where cloud queries failed,
which generated system logs. The issue occurred because a hash was
not found in the cloud. |
PAN-170740 | Fixed an issue with the google-docs-uploading application that
occurred if a Security policy rule was applied to a Security profile and
traffic was decrypted. |
PAN-168921 | Fixed an issue in active/active high availability
(HA) configurations where traffic with complete packets was showing
up as incomplete and being disconnected due to a non-session owner
device closing the session prematurely. |
PAN-168298 | Fixed an issue where a firewall superuser
using an LDAP authentication profile that was pushed from Panorama
was unable to save the filter under Monitor > Logs. |
PAN-167989 | Fixed a timing issue between downloading
and installing threads that occurred when Panorama pushed content
updates and the firewall fetched content updates simultaneously. |
PAN-166836 | Fixed an issue where session failed due
to resource unavailability. |
PAN-166328 | (PA-7000 Series firewalls with NPCs
only) Fixed an issue where path monitoring failure occurred
while hot inserting a 100G NPC (network processing card) into the
firewall. |
PAN-166296 | Fixed an issue where an unavailable certificate
revocation list (CRL) from the server side caused an infinite loop
on a process (sslmgr), which resulted in it not responding
for other tasks. |
PAN-166241 | A fix was made to address an improper restriction
of XML external identity (XXE) reference in the PAN-OS web interface
that enabled an authenticated administrator to read any arbitrary
file from the file system and send a specifically crafted request
to the firewall that caused the service to crash (CVE-2021-3055). |
PAN-165661 | Fixed an issue in an HA active/active configuration
where an administrative shutdown message was not sent to the BGP
peer when the firewall went into a suspended state, which delayed convergence. |
PAN-164922 | Fixed an issue on Panorama where a context
switch to a managed firewall running PAN-OS 8.1.0 to PAN-OS 8.1.19
failed. To utilize this fix, upgrade Panorama to PAN-OS 10.0.5. |
PAN-164846 | Fixed an issue where packet buffers were
depleted. |
PAN-164646 | Fixed an issue where tunnel monitoring in
the Large Scale VPN (LSVPN) displayed as down in both the CLI and
the web interface due to incorrect dataplane ownership. |
PAN-164422 | (VM-Series firewalls only) A fix
was made to address improper access control that enabled an attacker
with authenticated access to GlobalProtect portals and GlobalProtect
gateways to connect to the EC2 instance metadata endpoint for VM-Series
firewalls hosted on Amazon Web Services (AWS) (CVE-2021-3062). |
PAN-164056 | Fixed a memory issue for LSVPNs with multiple
dataplane systems. |
PAN-162710 | Debug code was introduced to enable additional
logging for flow lookup. |
PAN-162600 | Fixed an issue where, when the GlobalProtect
client sent UDP/4501 traffic that was destined for the GlobalProtect
gateway inside the GlobalProtect tunnel, the firewall still processed
the traffic, which caused routing loops. |
PAN-160744 | Fixed an issue where the negative time difference
between the dataplane and the management plane during the client
certificate info check prevented the GlobalProtect client from connecting
to the GlobalProtect gateway with the following error message: Required client certificate not found. |
PAN-160455 | A fix was made to address an issue where
certain invalid URL entries contained in an External Dynamic List
(EDL) caused the devsrvr process to stop responding (CVE-2021-3048). |
PAN-159944 | Fixed an issue where a process (dnsproxyd) stopped
responding due to an error in the DNS cache operation. |
PAN-159826 | Fixed an issue where SSL VPN memory leaked
when the default browser for SAML authentication on GlobalProtect
was not enabled. |
PAN-159295 | Fixed an issue where scheduled configuration
export files saved in the /tmp folder
in root were not periodically purged, which caused the root partition
to fill up. |
PAN-159135 | Fixed an issue where the firewall rejected
SAML Assertions, which caused user authentication failure when the Validate Identity
Provider Certificate was enabled in the SAML Server
Profile in vsys3 or above. |
PAN-158988 | Fixed an issue with HTTP Header Insertion
where the payload was truncated when processing a segmented TCP
stream and when the client retransmitted the packet with the same
sequence number that was previously received segmented. |
PAN-158844 | Adds additional debugging to be used in
identifying the malformed references causing process crashes during
FQDN refresh. |
PAN-158774 | Fixed an issue where random DNS queries
dropped with the counter ctd_dns_wait_pkt_drop when DNS
security was enabled. |
PAN-158723 | A fix was made to address an improper handling
of exception conditions in the PAN-OS dataplane that enabled an
unauthenticated network-based attacker to send specifically crafted
traffic through the firewall that caused the service to crash (CVE-2021-3053). |
PAN-158638 | Fixed an issue where the firewall returned
the following error message when attempting to request a device
certificate using a one-time password (OTP): invalid ocsp response sig-alg. |
PAN-158439 | Fixed a memory leak on the management server
process on Firewall. |
PAN-158262 | A buffer overflow vulnerability in the Telnet-based
administrative management service included with PAN-OS software
allows remote attackers to execute arbitrary code. A fix was
made to address a buffer overflow vulnerability in the Telnet-based
administrative management service included with PAN-OS that allowed
a remote attacker to execute arbitrary code (CVE-2020-10188). |
PAN-157834 | Fixed an issue with missing zone entries
in CSV or PDF export files. |
PAN-157721 | Fixed an issue where the firewall dropped
GPRS tunneling protocol (GTPv2) Create Session Requests and Responses
that had IEs 201 and 202 with the error Abnormal GTPv2-C message with invalid IE. |
PAN-157346 | Fixed an issue where HIP custom checks for
plist failed when the HIP exclusion category were configured under
(Mobile User Template > Network > GlobalProtect > Portal<portal-config>
> Agent<agent-config> > HIP Data Collection). |
PAN-157035 | (PA-5200 Series firewalls only)
Fixed an intermittent issue where multicast packets traversing the
firewall in VLAN configurations experienced higher drop rates than
expected. |
PAN-157027 | Fixed an issue where, when stateless GTP-U
traffic hit a multi-dataplane firewall, an inter-dataplane fragmentation
loop occurred, which caused high dataplane resource usage. |
PAN-156482 | Fixed a packet buffer issue where HTTP2
packets were held for category lookup and the HTTP request was across
multiple packets. |
PAN-156240 | A fix was made to address an issue where
a cryptographically weak pseudo-random number (PRNG) was used during
authentication to the PAN-OS interface. As a result, attackers with
the capability to observe their own authentication secrets over
a long duration on the firewall had the ability to impersonate another
authenticated web interface administrator’s session (CVE-2021-3047). |
PAN-156225 | (PA-3200 Series firewalls only)
Fixed an issue where the HA1-B port remained down after an upgrade
from PAN-OS 9.1.4 to later 9.1 releases and from PAN-OS 10.0.0 to
PAN-OS 10.0.4. |
PAN-155049 | Fixed an issue with SSLVPN memory leaks
related to the GlobalProtect portal Config Selection Criteria. |
PAN-154602 | Fixed an issue where GlobalProtect users
got disconnected after modifying floating IP HA configuration. |
PAN-154557 | Fixed an issue that caused a process (useridd) core
dump when parsing the Subject Alternative Name from a client certificate
sent in the HIP report. |
PAN-154403 | Fixed an issue with HIP matching logic for
missing patches where previous behavior indicated missing patches
when no patches were missing. |
PAN-154376 | Fixed an issue where a process (mgmtsrvr) stopped
responding and was inaccessible through SSH or HTTPS until the firewall
was power cycled. |
PAN-154016 | Fixed an issue where auto-commits failed
for VM-Series firewalls bootstrapped with new content installation
during bootstrap. The firewalls displayed the following error message: Details:Error: Undefined application <application-name>. |
PAN-153814 | Fixed an issue where the firewall displayed
the URL Filtering Safe Search Block Page on the specific site only,
even when the traffic was matched to a specific rule that did not
have any URL filtering policies. |
PAN-153382 | Fixed an issue where the per-minute resource
monitor was three minutes behind. |
PAN-153316 | CLI commands were added to address an issue
where virtual memory on a process (configd) exceeded
the new 32G limit.
|
PAN-153213 | Fixed a rare issue where TCP packets randomly
dropped due to reassembly failure. |
PAN-152497 | Fixed an issue where the firewall was unable
to create a new GTP-U session when it received Create Session Response
messages, which caused the following error message to display in
the GTP log: GTPv1 message failed stateful inspection. |
PAN-152458 | (VM-Series firewalls on Microsoft Hyper-V
only) Fixed an issue where, when upgrading to PAN-OS 9.0.8
or later, ethernet packets dropped after adding VLAN tags during
egress from a subinterface. To leverage this fix, set the interface
level maximum transmission unit (MTU) to 1496 or less. |
PAN-151521 | Fixed an issue where a process (logrcvr) continuously
restarted at pan_hash_iter_next_i. |
PAN-151395 | Fixed an issue where the firewall repeatedly
logged connection failures to a configured Log Collector. |
PAN-150534 | Fixed an issue where authentication logs
with the subtype SAML were not forwarded to the syslog server. |
PAN-150467 | Fixed a memory leak issue with a unified
query that caused a process (mprelay) to restart due
to an out-of-memory (OOM) condition. |
PAN-150337 | A fix was made to address a reflect cross-site
scripting (XSS) vulnerability in the PAN-OS web interface that enabled
an authenticated network-based attacker to mislead another authenticated
PAN-OS administrator to click on a specially crafted link that performed
arbitrary actions in the web interface as the targeted authenticated
administrator (CVE-2021-3052). |
PAN-150110 | Fixed an issue where Elasticsearch restarted
unexpectedly when it ran out of memory. This was due to the vm.max-map-count value
being set incorrectly in the newer version of Elasticsearch (starting
from PAN-OS 9.0). With this fix, the value is set correctly. |
PAN-150023 | A fix was made to address an issue where
an improper authentication vulnerability enabled a Security Assertion
Markup Language (SAML) authenticated user to impersonate any user
in the GlobalProtect portal and GlobalProtect gateway when they
were configured to use SAML authentication (CVE-2021-3046). |
PAN-149501 | A fix was made to address a memory corruption
vulnerability in the GlobalProtect Clientless VPN that enabled an
authenticated attacker to execute arbitrary code with root user
privileges during SAML authentication (CVE-2021-3056). |
PAN-147827 | Fixed an issue where, when SIP traffic traversing
the firewall was sent with a high QoS Differentiated Services Code
Point (DSCP) value, the DSCP value was reset to the default setting
(CS0). |
PAN-147783 | Checks were added to help prevent the dataplane
from restarting. |
PAN-147781 | A fix was made to address an issue where
an OS command argument injection vulnerability in the PAN-OS web
interface enabled an authenticated administrator to read any arbitrary
file from the file system (CVE-2021-3045). |
PAN-146250 | Fixed an issue where, in two separate but
simultaneous sessions, the same software packet buffer was owned
and processed. |
PAN-146107 | Fixed an issue where memory allocation failure
caused a process (pan_comm) to restart several times,
which caused the firewall to restart. |
PAN-144470 | Fixed an issue where driver descriptor rings
were out of sync in the control plane to dataplane direction, which
caused internal path monitoring heartbeat failures. |
PAN-142621 | Fixed an issue where the firewall was unable
to log debug information in case of kernel panic. |
PAN-141813 | Fixed an issue where multiple daemons restarted
due to a management plane ARP overflow. |
PAN-138727 | A fix was made to address a time-of-check
to time-of-use (TOCTOU) race condition in the PAN-OS web interface
that enabled an authenticated administrator with permission to upload
plugins to execute arbitrary code with root user privileges (CVE-2021-3054). |
PAN-137147 | Fixed an issue where configuration commits
failed due to the dataplane running out of memory in policy cache
allocation. |
PAN-136347 | Fixed an issue where DNS proxy TCP connections
were processed incorrectly, which caused a process (dnsproxy)
to stop responding. |
PAN-133886 | Fixed an issue where GlobalProtect users
were unable to connect to mobile gateways when download of a large
CRL failed due to timeouts that resulted in CRL check failures. |
PAN-132035 | Fixed an issue on Panorama appliances in
an active/passive HA configuration where a managed firewall generated
high priority alerts that it failed to connect to the passive Panorama
appliance's User-ID agent server. This issue occurred because the
firewall was only able to connect to one Panorama User-ID server
at a time, and it connected only to the active Panorama appliance's
User-ID server. |
PAN-115553 | (PA-5200 Series firewalls only)
Fixed an intermittent issue where internal path monitoring failed,
which caused the firewall to unexpectedly restart. |
PAN-110429 | Fixed an issue with firewalls in an HA configuration
where multiple all_pktproc processes stopped responding
due to missing heartbeats, which caused service outages. |