CVE-2022-0011

Name of the Vulnerable Software and Affected Versions PAN-OS versions prior to 10.1.3 PAN-OS versions prior to 10.0.8 PAN-OS versions prior to 9.1.12 PAN-OS 9.0 versions PAN-OS versions prior to 8.1.21 Prisma Access versions 2.2 and 2.1

Description The issue arises from how PAN-OS software handles hostname patterns in custom URL category lists or external dynamic lists (EDL) used in URL Filtering profiles. Patterns not ending with a forward slash (/) or ending with an asterisk (*) can match any URL starting with the specified pattern, potentially allowing or blocking more URLs than intended. This represents a security risk, especially when such entries are used in policy rules that allow traffic. For example, example.com will match example.com.website.test, example.com.* will match example.com.website.test, and example.com.^ will match example.com.test. It is recommended to use exact hostname names ending with a forward slash (/) instead of wildcards where possible.

Recommendations For PAN-OS versions prior to 10.1.3, update to version 10.1.3 or later. For PAN-OS versions prior to 10.0.8, update to version 10.0.8 or later. For PAN-OS versions prior to 9.1.12, update to version 9.1.12 or later. For PAN-OS 9.0 versions, update to a version later than 9.0. For PAN-OS versions prior to 8.1.21, update to version 8.1.21 or later. For Prisma Access versions 2.2 and 2.1, consider changing the URL category list or EDL to mitigate the risk until a version update is available. As a temporary workaround, consider using exact hostname names ending with a forward slash (/) instead of wildcards in policy rules that allow traffic.