CVE-2021-3048
Vulnerability from cvelistv5
Published
2021-08-11 17:10
Modified
2024-09-16 19:31
Summary
PAN-OS: Invalid URLs in an External Dynamic List (EDL) can Lead to Firewall Outage
Impacted products
Palo Alto NetworksPAN-OS
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T16:45:51.024Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://security.paloaltonetworks.com/CVE-2020-3048"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "PAN-OS",
          "vendor": "Palo Alto Networks",
          "versions": [
            {
              "status": "unaffected",
              "version": "10.1.*"
            },
            {
              "status": "unaffected",
              "version": "8.1.*"
            },
            {
              "changes": [
                {
                  "at": "9.0.14",
                  "status": "unaffected"
                }
              ],
              "lessThan": "9.0.14",
              "status": "affected",
              "version": "9.0",
              "versionType": "custom"
            },
            {
              "changes": [
                {
                  "at": "9.1.9",
                  "status": "unaffected"
                }
              ],
              "lessThan": "9.1.9",
              "status": "affected",
              "version": "9.1",
              "versionType": "custom"
            },
            {
              "changes": [
                {
                  "at": "10.0.5",
                  "status": "unaffected"
                }
              ],
              "lessThan": "10.0.5",
              "status": "affected",
              "version": "10.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "configurations": [
        {
          "lang": "en",
          "value": "This issue is applicable only if an External Dynamic List (EDL) is configured on the firewall.\nAn EDL that contains only domain names or IP addresses will not cause this issue."
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "This issue was encountered by some customers of Palo Alto Networks during regular operation."
        }
      ],
      "datePublic": "2021-08-11T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Certain invalid URL entries contained in an External Dynamic List (EDL) cause the Device Server daemon (devsrvr) to stop responding. This condition causes subsequent commits on the firewall to fail and prevents administrators from performing commits and configuration changes even though the firewall remains otherwise functional. If the firewall then restarts, it results in a denial-of-service (DoS) condition and the firewall stops processing traffic. This issue impacts: PAN-OS 9.0 versions earlier than PAN-OS 9.0.14; PAN-OS 9.1 versions earlier than PAN-OS 9.1.9; PAN-OS 10.0 versions earlier than PAN-OS 10.0.5. PAN-OS 8.1 and PAN-OS 10.1 versions are not impacted."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "CWE-20 Improper Input Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-08-11T17:10:19",
        "orgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
        "shortName": "palo_alto"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://security.paloaltonetworks.com/CVE-2020-3048"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "This issue is fixed in PAN-OS 9.0.14, PAN-OS 9.1.9, PAN-OS 10.0.5, and all later PAN-OS versions.\n\nIf a firewall encounters this problem, you will require TAC assistance to make the firewall operational again."
        }
      ],
      "source": {
        "defect": [
          "PAN-160455"
        ],
        "discovery": "USER"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2021-08-11T00:00:00",
          "value": "Initial publication"
        }
      ],
      "title": "PAN-OS: Invalid URLs in an External Dynamic List (EDL) can Lead to Firewall Outage",
      "workarounds": [
        {
          "lang": "en",
          "value": "You can prevent this issue by removing all invalid URL entries from source EDLs or removing the EDL from your configuration.\n\nAdditionally, do not configure EDLs from websites that you do not trust."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "psirt@paloaltonetworks.com",
          "DATE_PUBLIC": "2021-08-11T16:00:00.000Z",
          "ID": "CVE-2021-3048",
          "STATE": "PUBLIC",
          "TITLE": "PAN-OS: Invalid URLs in an External Dynamic List (EDL) can Lead to Firewall Outage"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "PAN-OS",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_name": "9.0",
                            "version_value": "9.0.14"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_name": "9.1",
                            "version_value": "9.1.9"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_name": "10.0",
                            "version_value": "10.0.5"
                          },
                          {
                            "version_affected": "!\u003e=",
                            "version_name": "9.0",
                            "version_value": "9.0.14"
                          },
                          {
                            "version_affected": "!\u003e=",
                            "version_name": "9.1",
                            "version_value": "9.1.9"
                          },
                          {
                            "version_affected": "!\u003e=",
                            "version_name": "10.0",
                            "version_value": "10.0.5"
                          },
                          {
                            "version_affected": "!",
                            "version_name": "10.1",
                            "version_value": "10.1.*"
                          },
                          {
                            "version_affected": "!",
                            "version_name": "8.1",
                            "version_value": "8.1.*"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Palo Alto Networks"
              }
            ]
          }
        },
        "configuration": [
          {
            "lang": "en",
            "value": "This issue is applicable only if an External Dynamic List (EDL) is configured on the firewall.\nAn EDL that contains only domain names or IP addresses will not cause this issue."
          }
        ],
        "credit": [
          {
            "lang": "eng",
            "value": "This issue was encountered by some customers of Palo Alto Networks during regular operation."
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Certain invalid URL entries contained in an External Dynamic List (EDL) cause the Device Server daemon (devsrvr) to stop responding. This condition causes subsequent commits on the firewall to fail and prevents administrators from performing commits and configuration changes even though the firewall remains otherwise functional. If the firewall then restarts, it results in a denial-of-service (DoS) condition and the firewall stops processing traffic. This issue impacts: PAN-OS 9.0 versions earlier than PAN-OS 9.0.14; PAN-OS 9.1 versions earlier than PAN-OS 9.1.9; PAN-OS 10.0 versions earlier than PAN-OS 10.0.5. PAN-OS 8.1 and PAN-OS 10.1 versions are not impacted."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-20 Improper Input Validation"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://security.paloaltonetworks.com/CVE-2020-3048",
              "refsource": "MISC",
              "url": "https://security.paloaltonetworks.com/CVE-2020-3048"
            }
          ]
        },
        "solution": [
          {
            "lang": "en",
            "value": "This issue is fixed in PAN-OS 9.0.14, PAN-OS 9.1.9, PAN-OS 10.0.5, and all later PAN-OS versions.\n\nIf a firewall encounters this problem, you will require TAC assistance to make the firewall operational again."
          }
        ],
        "source": {
          "defect": [
            "PAN-160455"
          ],
          "discovery": "USER"
        },
        "timeline": [
          {
            "lang": "en",
            "time": "2021-08-11T00:00:00",
            "value": "Initial publication"
          }
        ],
        "work_around": [
          {
            "lang": "en",
            "value": "You can prevent this issue by removing all invalid URL entries from source EDLs or removing the EDL from your configuration.\n\nAdditionally, do not configure EDLs from websites that you do not trust."
          }
        ],
        "x_advisoryEoL": false,
        "x_affectedList": [
          "PAN-OS 10.0.4",
          "PAN-OS 10.0.3",
          "PAN-OS 10.0.2",
          "PAN-OS 10.0.1",
          "PAN-OS 10.0.0",
          "PAN-OS 10.0",
          "PAN-OS 9.1.8",
          "PAN-OS 9.1.7",
          "PAN-OS 9.1.6",
          "PAN-OS 9.1.5",
          "PAN-OS 9.1.4",
          "PAN-OS 9.1.3-h1",
          "PAN-OS 9.1.3",
          "PAN-OS 9.1.2-h1",
          "PAN-OS 9.1.2",
          "PAN-OS 9.1.1",
          "PAN-OS 9.1.0-h3",
          "PAN-OS 9.1.0-h2",
          "PAN-OS 9.1.0-h1",
          "PAN-OS 9.1.0",
          "PAN-OS 9.1",
          "PAN-OS 9.0.13",
          "PAN-OS 9.0.12",
          "PAN-OS 9.0.11",
          "PAN-OS 9.0.10",
          "PAN-OS 9.0.9-h1",
          "PAN-OS 9.0.9",
          "PAN-OS 9.0.8",
          "PAN-OS 9.0.7",
          "PAN-OS 9.0.6",
          "PAN-OS 9.0.5",
          "PAN-OS 9.0.4",
          "PAN-OS 9.0.3-h3",
          "PAN-OS 9.0.3-h2",
          "PAN-OS 9.0.3-h1",
          "PAN-OS 9.0.3",
          "PAN-OS 9.0.2-h4",
          "PAN-OS 9.0.2-h3",
          "PAN-OS 9.0.2-h2",
          "PAN-OS 9.0.2-h1",
          "PAN-OS 9.0.2",
          "PAN-OS 9.0.1",
          "PAN-OS 9.0.0",
          "PAN-OS 9.0"
        ],
        "x_likelyAffectedList": [
          "PAN-OS 8.0.20",
          "PAN-OS 8.0.19-h1",
          "PAN-OS 8.0.19",
          "PAN-OS 8.0.18",
          "PAN-OS 8.0.17",
          "PAN-OS 8.0.16",
          "PAN-OS 8.0.15",
          "PAN-OS 8.0.14",
          "PAN-OS 8.0.13",
          "PAN-OS 8.0.12",
          "PAN-OS 8.0.11-h1",
          "PAN-OS 8.0.10",
          "PAN-OS 8.0.9",
          "PAN-OS 8.0.8",
          "PAN-OS 8.0.7",
          "PAN-OS 8.0.6-h3",
          "PAN-OS 8.0.6-h2",
          "PAN-OS 8.0.6-h1",
          "PAN-OS 8.0.6",
          "PAN-OS 8.0.5",
          "PAN-OS 8.0.4",
          "PAN-OS 8.0.3-h4",
          "PAN-OS 8.0.3-h3",
          "PAN-OS 8.0.3-h2",
          "PAN-OS 8.0.3-h1",
          "PAN-OS 8.0.3",
          "PAN-OS 8.0.2",
          "PAN-OS 8.0.1",
          "PAN-OS 8.0.0",
          "PAN-OS 8.0",
          "PAN-OS 7.1.26",
          "PAN-OS 7.1.25",
          "PAN-OS 7.1.24-h1",
          "PAN-OS 7.1.24",
          "PAN-OS 7.1.23",
          "PAN-OS 7.1.22",
          "PAN-OS 7.1.21",
          "PAN-OS 7.1.20",
          "PAN-OS 7.1.19",
          "PAN-OS 7.1.18",
          "PAN-OS 7.1.17",
          "PAN-OS 7.1.16",
          "PAN-OS 7.1.15",
          "PAN-OS 7.1.14",
          "PAN-OS 7.1.13",
          "PAN-OS 7.1.12",
          "PAN-OS 7.1.11",
          "PAN-OS 7.1.10",
          "PAN-OS 7.1.9-h4",
          "PAN-OS 7.1.9-h3",
          "PAN-OS 7.1.9-h2",
          "PAN-OS 7.1.9-h1",
          "PAN-OS 7.1.9",
          "PAN-OS 7.1.8",
          "PAN-OS 7.1.7",
          "PAN-OS 7.1.6",
          "PAN-OS 7.1.5",
          "PAN-OS 7.1.4-h2",
          "PAN-OS 7.1.4-h1",
          "PAN-OS 7.1.4",
          "PAN-OS 7.1.3",
          "PAN-OS 7.1.2",
          "PAN-OS 7.1.1",
          "PAN-OS 7.1.0",
          "PAN-OS 7.1"
        ]
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
    "assignerShortName": "palo_alto",
    "cveId": "CVE-2021-3048",
    "datePublished": "2021-08-11T17:10:19.346151Z",
    "dateReserved": "2021-01-06T00:00:00",
    "dateUpdated": "2024-09-16T19:31:48.430Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-3048\",\"sourceIdentifier\":\"psirt@paloaltonetworks.com\",\"published\":\"2021-08-11T17:15:07.593\",\"lastModified\":\"2021-08-19T20:05:29.643\",\"vulnStatus\":\"Analyzed\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"Certain invalid URL entries contained in an External Dynamic List (EDL) cause the Device Server daemon (devsrvr) to stop responding. This condition causes subsequent commits on the firewall to fail and prevents administrators from performing commits and configuration changes even though the firewall remains otherwise functional. If the firewall then restarts, it results in a denial-of-service (DoS) condition and the firewall stops processing traffic. This issue impacts: PAN-OS 9.0 versions earlier than PAN-OS 9.0.14; PAN-OS 9.1 versions earlier than PAN-OS 9.1.9; PAN-OS 10.0 versions earlier than PAN-OS 10.0.5. PAN-OS 8.1 and PAN-OS 10.1 versions are not impacted.\"},{\"lang\":\"es\",\"value\":\"Determinadas entradas de URL no v\u00e1lidas contenidas en una lista din\u00e1mica externa (EDL) hacen que el demonio del servidor de dispositivos (devsrvr) deje de responder. Esta situaci\u00f3n causa que fallen las confirmaciones posteriores en el firewalls e impide a los administradores llevar a cabo confirmaciones y cambios de configuraci\u00f3n, aunque el firewalls siga siendo funcional. Si el firewalls se reinicia, se produce una condici\u00f3n de denegaci\u00f3n de servicio (DoS) y el firewalls deja de procesar el tr\u00e1fico. Este problema afecta a: PAN-OS versiones 9.0 anteriores a PAN-OS 9.0.14; PAN-OS versiones 9.1 anteriores a PAN-OS 9.1.9; PAN-OS  versiones 10.0 anteriores a PAN-OS 10.0.5. Versiones PAN-OS 8.1 y PAN-OS 10.1 no est\u00e1n afectadas\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\",\"baseScore\":5.9,\"baseSeverity\":\"MEDIUM\"},\"exploitabilityScore\":2.2,\"impactScore\":3.6},{\"source\":\"psirt@paloaltonetworks.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\",\"baseScore\":5.9,\"baseSeverity\":\"MEDIUM\"},\"exploitabilityScore\":2.2,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:N/I:N/A:P\",\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"PARTIAL\",\"baseScore\":4.3},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-20\"}]},{\"source\":\"psirt@paloaltonetworks.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-20\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:paloaltonetworks:pan-os:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"9.0.0\",\"versionEndExcluding\":\"9.0.14\",\"matchCriteriaId\":\"E9EE274A-3AF1-4204-B43D-1EA54C6442CC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:paloaltonetworks:pan-os:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"9.1.0\",\"versionEndExcluding\":\"9.1.9\",\"matchCriteriaId\":\"5075D342-EE42-4659-BD55-2D9FE7496C34\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:paloaltonetworks:pan-os:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"10.0.0\",\"versionEndExcluding\":\"10.0.5\",\"matchCriteriaId\":\"2E92DFB1-AD67-4FF8-9722-200630EA490A\"}]}]}],\"references\":[{\"url\":\"https://security.paloaltonetworks.com/CVE-2020-3048\",\"source\":\"psirt@paloaltonetworks.com\",\"tags\":[\"Broken Link\"]},{\"url\":\"https://security.paloaltonetworks.com/CVE-2021-3048\",\"source\":\"nvd@nist.gov\",\"tags\":[\"Vendor Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading...

Loading...

Loading...
  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.