PAN-OS 9.0.14 Addressed Issues
Focus
Focus

PAN-OS 9.0.14 Addressed Issues

Table of Contents
End-of-Life (EoL)

PAN-OS 9.0.14 Addressed Issues

PAN-OS® 9.0.14 addressed issues.
Issue ID
Description
WF500-5568
Fixed an issue where a firewall in FIPS mode running PAN-OS 8.1.18 or a later version failed to connect with a WildFire appliance in normal mode.
WF500-5513
Fixed an issue where cloud queries failed, which generated system logs. The issue occurred because a hash was not found in the cloud.
PAN-170740
Fixed an issue with the google-docs-uploading application that occurred if a Security policy rule was applied to a Security profile and traffic was decrypted.
PAN-168921
Fixed an issue in active/active high availability (HA) configurations where traffic with complete packets was showing up as incomplete and being disconnected due to a non-session owner device closing the session prematurely.
PAN-168298
Fixed an issue where a firewall superuser using an LDAP authentication profile that was pushed from Panorama was unable to save the filter under Monitor > Logs.
PAN-167989
Fixed a timing issue between downloading and installing threads that occurred when Panorama pushed content updates and the firewall fetched content updates simultaneously.
PAN-166836
Fixed an issue where session failed due to resource unavailability.
PAN-166328
(PA-7000 Series firewalls with NPCs only) Fixed an issue where path monitoring failure occurred while hot inserting a 100G NPC (network processing card) into the firewall.
PAN-166296
Fixed an issue where an unavailable certificate revocation list (CRL) from the server side caused an infinite loop on a process (sslmgr), which resulted in it not responding for other tasks.
PAN-166241
A fix was made to address an improper restriction of XML external identity (XXE) reference in the PAN-OS web interface that enabled an authenticated administrator to read any arbitrary file from the file system and send a specifically crafted request to the firewall that caused the service to crash (CVE-2021-3055).
PAN-165661
Fixed an issue in an HA active/active configuration where an administrative shutdown message was not sent to the BGP peer when the firewall went into a suspended state, which delayed convergence.
PAN-164922
Fixed an issue on Panorama where a context switch to a managed firewall running PAN-OS 8.1.0 to PAN-OS 8.1.19 failed.
To utilize this fix, upgrade Panorama to PAN-OS 10.0.5.
PAN-164846
Fixed an issue where packet buffers were depleted.
PAN-164646
Fixed an issue where tunnel monitoring in the Large Scale VPN (LSVPN) displayed as down in both the CLI and the web interface due to incorrect dataplane ownership.
PAN-164422
(VM-Series firewalls only) A fix was made to address improper access control that enabled an attacker with authenticated access to GlobalProtect portals and GlobalProtect gateways to connect to the EC2 instance metadata endpoint for VM-Series firewalls hosted on Amazon Web Services (AWS) (CVE-2021-3062).
PAN-164056
Fixed a memory issue for LSVPNs with multiple dataplane systems.
PAN-162710
Debug code was introduced to enable additional logging for flow lookup.
PAN-162600
Fixed an issue where, when the GlobalProtect client sent UDP/4501 traffic that was destined for the GlobalProtect gateway inside the GlobalProtect tunnel, the firewall still processed the traffic, which caused routing loops.
PAN-161260
Fixed a memory leak issue related to a process (useridd) that occurred when processing high amount of HIP reports as well as a memory leak issue related to the sslvpn process that occurred when the firewall was configured as a GlobalProtect satellite.
PAN-160744
Fixed an issue where the negative time difference between the dataplane and the management plane during the client certificate info check prevented the GlobalProtect client from connecting to the GlobalProtect gateway with the following error message: Required client certificate not found.
PAN-160455
A fix was made to address an issue where certain invalid URL entries contained in an External Dynamic List (EDL) caused the devsrvr process to stop responding (CVE-2021-3048).
PAN-159944
Fixed an issue where a process (dnsproxyd) stopped responding due to an error in the DNS cache operation.
PAN-159826
Fixed an issue where SSL VPN memory leaked when the default browser for SAML authentication on GlobalProtect was not enabled.
PAN-159295
Fixed an issue where scheduled configuration export files saved in the /tmp folder in root were not periodically purged, which caused the root partition to fill up.
PAN-159135
Fixed an issue where the firewall rejected SAML Assertions, which caused user authentication failure when the Validate Identity Provider Certificate was enabled in the SAML Server Profile in vsys3 or above.
PAN-158988
Fixed an issue with HTTP Header Insertion where the payload was truncated when processing a segmented TCP stream and when the client retransmitted the packet with the same sequence number that was previously received segmented.
PAN-158844
Adds additional debugging to be used in identifying the malformed references causing process crashes during FQDN refresh.
PAN-158774
Fixed an issue where random DNS queries dropped with the counter ctd_dns_wait_pkt_drop when DNS security was enabled.
PAN-158723
A fix was made to address an improper handling of exception conditions in the PAN-OS dataplane that enabled an unauthenticated network-based attacker to send specifically crafted traffic through the firewall that caused the service to crash (CVE-2021-3053).
PAN-158638
Fixed an issue where the firewall returned the following error message when attempting to request a device certificate using a one-time password (OTP): invalid ocsp response sig-alg.
PAN-158439
Fixed a memory leak on the management server process on Firewall.
PAN-158262
A buffer overflow vulnerability in the Telnet-based administrative management service included with PAN-OS software allows remote attackers to execute arbitrary code.
A fix was made to address a buffer overflow vulnerability in the Telnet-based administrative management service included with PAN-OS that allowed a remote attacker to execute arbitrary code (CVE-2020-10188).
PAN-157834
Fixed an issue with missing zone entries in CSV or PDF export files.
PAN-157721
Fixed an issue where the firewall dropped GPRS tunneling protocol (GTPv2) Create Session Requests and Responses that had IEs 201 and 202 with the error Abnormal GTPv2-C message with invalid IE.
PAN-157346
Fixed an issue where HIP custom checks for plist failed when the HIP exclusion category were configured under (Mobile User Template > Network > GlobalProtect > Portal<portal-config> > Agent<agent-config> > HIP Data Collection).
PAN-157035
(PA-5200 Series firewalls only) Fixed an intermittent issue where multicast packets traversing the firewall in VLAN configurations experienced higher drop rates than expected.
PAN-157027
Fixed an issue where, when stateless GTP-U traffic hit a multi-dataplane firewall, an inter-dataplane fragmentation loop occurred, which caused high dataplane resource usage.
PAN-156482
Fixed a packet buffer issue where HTTP2 packets were held for category lookup and the HTTP request was across multiple packets.
PAN-156240
A fix was made to address an issue where a cryptographically weak pseudo-random number (PRNG) was used during authentication to the PAN-OS interface. As a result, attackers with the capability to observe their own authentication secrets over a long duration on the firewall had the ability to impersonate another authenticated web interface administrator’s session (CVE-2021-3047).
PAN-156225
(PA-3200 Series firewalls only) Fixed an issue where the HA1-B port remained down after an upgrade from PAN-OS 9.1.4 to later 9.1 releases and from PAN-OS 10.0.0 to PAN-OS 10.0.4.
PAN-155049
Fixed an issue with SSLVPN memory leaks related to the GlobalProtect portal Config Selection Criteria.
PAN-154602
Fixed an issue where GlobalProtect users got disconnected after modifying floating IP HA configuration.
PAN-154557
Fixed an issue that caused a process (useridd) core dump when parsing the Subject Alternative Name from a client certificate sent in the HIP report.
PAN-154403
Fixed an issue with HIP matching logic for missing patches where previous behavior indicated missing patches when no patches were missing.
PAN-154376
Fixed an issue where a process (mgmtsrvr) stopped responding and was inaccessible through SSH or HTTPS until the firewall was power cycled.
PAN-154016
Fixed an issue where auto-commits failed for VM-Series firewalls bootstrapped with new content installation during bootstrap. The firewalls displayed the following error message: Details:Error: Undefined application <application-name>.
PAN-153814
Fixed an issue where the firewall displayed the URL Filtering Safe Search Block Page on the specific site only, even when the traffic was matched to a specific rule that did not have any URL filtering policies.
PAN-153382
Fixed an issue where the per-minute resource monitor was three minutes behind.
PAN-153316
CLI commands were added to address an issue where virtual memory on a process (configd) exceeded the new 32G limit.
  • To disable the virtual memory limit, use debug software disable-virt-limit.
  • To enable the virtual memory limit, use debug software enable-virt-limit.
PAN-153213
Fixed a rare issue where TCP packets randomly dropped due to reassembly failure.
PAN-152497
Fixed an issue where the firewall was unable to create a new GTP-U session when it received Create Session Response messages, which caused the following error message to display in the GTP log: GTPv1 message failed stateful inspection.
PAN-152458
(VM-Series firewalls on Microsoft Hyper-V only) Fixed an issue where, when upgrading to PAN-OS 9.0.8 or later, ethernet packets dropped after adding VLAN tags during egress from a subinterface. To leverage this fix, set the interface level maximum transmission unit (MTU) to 1496 or less.
PAN-151521
Fixed an issue where a process (logrcvr) continuously restarted at pan_hash_iter_next_i.
PAN-151395
Fixed an issue where the firewall repeatedly logged connection failures to a configured Log Collector.
PAN-150534
Fixed an issue where authentication logs with the subtype SAML were not forwarded to the syslog server.
PAN-150467
Fixed a memory leak issue with a unified query that caused a process (mprelay) to restart due to an out-of-memory (OOM) condition.
PAN-150337
A fix was made to address a reflect cross-site scripting (XSS) vulnerability in the PAN-OS web interface that enabled an authenticated network-based attacker to mislead another authenticated PAN-OS administrator to click on a specially crafted link that performed arbitrary actions in the web interface as the targeted authenticated administrator (CVE-2021-3052).
PAN-150110
Fixed an issue where Elasticsearch restarted unexpectedly when it ran out of memory. This was due to the vm.max-map-count value being set incorrectly in the newer version of Elasticsearch (starting from PAN-OS 9.0). With this fix, the value is set correctly.
PAN-150023
A fix was made to address an issue where an improper authentication vulnerability enabled a Security Assertion Markup Language (SAML) authenticated user to impersonate any user in the GlobalProtect portal and GlobalProtect gateway when they were configured to use SAML authentication (CVE-2021-3046).
PAN-149501
A fix was made to address a memory corruption vulnerability in the GlobalProtect Clientless VPN that enabled an authenticated attacker to execute arbitrary code with root user privileges during SAML authentication (CVE-2021-3056).
PAN-147827
Fixed an issue where, when SIP traffic traversing the firewall was sent with a high QoS Differentiated Services Code Point (DSCP) value, the DSCP value was reset to the default setting (CS0).
PAN-147783
Checks were added to help prevent the dataplane from restarting.
PAN-147781
A fix was made to address an issue where an OS command argument injection vulnerability in the PAN-OS web interface enabled an authenticated administrator to read any arbitrary file from the file system (CVE-2021-3045).
PAN-146250
Fixed an issue where, in two separate but simultaneous sessions, the same software packet buffer was owned and processed.
PAN-146107
Fixed an issue where memory allocation failure caused a process (pan_comm) to restart several times, which caused the firewall to restart.
PAN-144470
Fixed an issue where driver descriptor rings were out of sync in the control plane to dataplane direction, which caused internal path monitoring heartbeat failures.
PAN-142621
Fixed an issue where the firewall was unable to log debug information in case of kernel panic.
PAN-141813
Fixed an issue where multiple daemons restarted due to a management plane ARP overflow.
PAN-138727
A fix was made to address a time-of-check to time-of-use (TOCTOU) race condition in the PAN-OS web interface that enabled an authenticated administrator with permission to upload plugins to execute arbitrary code with root user privileges (CVE-2021-3054).
PAN-137147
Fixed an issue where configuration commits failed due to the dataplane running out of memory in policy cache allocation.
PAN-136347
Fixed an issue where DNS proxy TCP connections were processed incorrectly, which caused a process (dnsproxy) to stop responding.
PAN-133886
Fixed an issue where GlobalProtect users were unable to connect to mobile gateways when download of a large CRL failed due to timeouts that resulted in CRL check failures.
PAN-132035
Fixed an issue on Panorama appliances in an active/passive HA configuration where a managed firewall generated high priority alerts that it failed to connect to the passive Panorama appliance's User-ID agent server. This issue occurred because the firewall was only able to connect to one Panorama User-ID server at a time, and it connected only to the active Panorama appliance's User-ID server.
PAN-115553
(PA-5200 Series firewalls only) Fixed an intermittent issue where internal path monitoring failed, which caused the firewall to unexpectedly restart.
PAN-110429
Fixed an issue with firewalls in an HA configuration where multiple all_pktproc processes stopped responding due to missing heartbeats, which caused service outages.