PAN-SA-2016-0010 Update Server API Exposure
The Palo Alto Networks update server enables downloading of PAN-OS software releases and dynamic updates through a public API. Some functions of the API were inadvertently exposed to the public.
API functions publicly available and exclusively used by internal workflow allowed for remote call. This did not affect Palo Alto Networks customers’ security posture, but some Palo Alto Networks update server data could be accessed.
This issue affects Palo Alto Networks update server
CVSSv3.1 Base Score: 0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N)
Workarounds and Mitigations
API functions that are utilized only by Palo Alto Networks backend systems have been migrated to an internal-facing only server. Externally facing functions that were deprecated or unused have been removed from the public-facing server.