CVE-2021-3048
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
Certain invalid URL entries contained in an External Dynamic List (EDL) cause the Device Server daemon (devsrvr) to stop responding. This condition causes subsequent commits on the firewall to fail and prevents administrators from performing commits and configuration changes even though the firewall remains otherwise functional. If the firewall then restarts, it results in a denial-of-service (DoS) condition and the firewall stops processing traffic. This issue impacts: PAN-OS 9.0 versions earlier than PAN-OS 9.0.14; PAN-OS 9.1 versions earlier than PAN-OS 9.1.9; PAN-OS 10.0 versions earlier than PAN-OS 10.0.5. PAN-OS 8.1 and PAN-OS 10.1 versions are not impacted.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Palo Alto Networks | PAN-OS | 10.1.* | unaffected |
| Palo Alto Networks | PAN-OS | 8.1.* | unaffected |
| Palo Alto Networks | PAN-OS | 9.0 < 9.0.14 | affected |
| Palo Alto Networks | PAN-OS | 9.1 < 9.1.9 | affected |
| Palo Alto Networks | PAN-OS | 10.0 < 10.0.5 | affected |
Weaknesses
- CWE-20: CWE-20 Improper Input Validation
Workarounds
You can prevent this issue by removing all invalid URL entries from source EDLs or removing the EDL from your configuration.
Additionally, do not configure EDLs from websites that you do not trust.
ADP Enrichment
CVE Program Container
Additional References
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.