Palo Alto Networks Security Advisories / PAN-SA-2016-0010

PAN-SA-2016-0010 Update Server API Exposure

047910
Severity 0 · NONE
Attack Vector NETWORK
Attack Complexity LOW
Privileges Required NONE
User Interaction NONE
Scope UNCHANGED
Confidentiality Impact NONE
Integrity Impact NONE
Availability Impact NONE

Description

The Palo Alto Networks update server enables downloading of PAN-OS software releases and dynamic updates through a public API. Some functions of the API were inadvertently exposed to the public.

API functions publicly available and exclusively used by internal workflow allowed for remote call. This did not affect Palo Alto Networks customers’ security posture, but some Palo Alto Networks update server data could be accessed.

This issue affects Palo Alto Networks update server

Product Status

VersionsAffectedUnaffected
Update server none

Severity: NONE

CVSSv3.1 Base Score: 0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N)

Weakness Type

Solution

N/A

Workarounds and Mitigations

API functions that are utilized only by Palo Alto Networks backend systems have been migrated to an internal-facing only server. Externally facing functions that were deprecated or unused have been removed from the public-facing server.

Acknowledgments

Mikail Tunç
© 2020 Palo Alto Networks, Inc. All rights reserved.