Palo Alto Networks patches 9.8 severity CVE in popular GlobalProtect product Palo Alto Networks (PAN) has issued a patch for a CVSS 9.8-rated buffer overflow affecting a VPN component of its widely used firewall software, warning that the flaw allows unauthenticated attackers to execute arbitrary code on unpatched appliances. While the current version, 10.1, and three before it are not affected, the …
Is this the vulnerability that was discovered a year ago but was not disclosed by those that discovered it until recently?
https://arstechnica.com/gadgets/2021/11/vpn-vulnerability-on-10k-servers-has-severity-rating-of-9-8-out-of-10/
Security firm Randori said on Wednesday that it discovered the vulnerability 12 months ago and for most of the time since has been privately using it in its red team products, which help customers test their network defenses against real-world threats.
Furious Reg reader John needs to relax before he has a heart attack. It's not healthy getting so stressed about stuff as minor as this. (Furious Reg reader John was too good a forum name not to use, so I've taken it!)
Patch your firewalls that are running Ver 8.1.16 or older, as 8.1.17 fixes the issue. BTW - 8.1.17 was released over a year ago. If you are stuck on the 8.1 train, then you should already be running 8.1.20 and be evaluating 8.1.21 (or have already deployed it).
The release trains for 9.0.x / 9.1.x / 10.0.x / 10.1.x have never had the issue.
Really not sure why The Reg is getting its panties in a knot about this one.
Indeed, but that has no bearing on a public announcement of a vulnerability that was patched a year ago. If system admins can't be bother to patch their kit, it doesn't really matter to them how quickly or slowly a vendor releases patches.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
