Fixed an issue where a firewall in FIPS mode running PAN-OS 8.1.18 or a later version failed to connect with a WildFire appliance in normal mode.

Fixed an issue where cloud queries failed, which generated system logs. The issue occurred because a hash was not found in the cloud.

Fixed an issue with the google-docs-uploading application that occurred if a Security policy rule was applied to a Security profile and traffic was decrypted.

Fixed an issue in active/active high availability (HA) configurations where traffic with complete packets was showing up as incomplete and being disconnected due to a non-session owner device closing the session prematurely.

Fixed an issue where a firewall superuser using an LDAP authentication profile that was pushed from Panorama was unable to save the filter under Monitor > Logs.

Fixed a timing issue between downloading and installing threads that occurred when Panorama pushed content updates and the firewall fetched content updates simultaneously.

Fixed an issue where session failed due to resource unavailability.

(PA-7000 Series firewalls with NPCs only) Fixed an issue where path monitoring failure occurred while hot inserting a 100G NPC (network processing card) into the firewall.

Fixed an issue where an unavailable certificate revocation list (CRL) from the server side caused an infinite loop on a process (sslmgr), which resulted in it not responding for other tasks.

A fix was made to address an improper restriction of XML external identity (XXE) reference in the PAN-OS web interface that enabled an authenticated administrator to read any arbitrary file from the file system and send a specifically crafted request to the firewall that caused the service to crash (CVE-2021-3055).

Fixed an issue in an HA active/active configuration where an administrative shutdown message was not sent to the BGP peer when the firewall went into a suspended state, which delayed convergence.

Fixed an issue on Panorama where a context switch to a managed firewall running PAN-OS 8.1.0 to PAN-OS 8.1.19 failed.

Fixed an issue where packet buffers were depleted.

Fixed an issue where tunnel monitoring in the Large Scale VPN (LSVPN) displayed as down in both the CLI and the web interface due to incorrect dataplane ownership.

(VM-Series firewalls only) A fix was made to address improper access control that enabled an attacker with authenticated access to GlobalProtect portals and GlobalProtect gateways to connect to the EC2 instance metadata endpoint for VM-Series firewalls hosted on Amazon Web Services (AWS) (CVE-2021-3062).

Fixed a memory issue for LSVPNs with multiple dataplane systems.

Debug code was introduced to enable additional logging for flow lookup.

Fixed an issue where, when the GlobalProtect client sent UDP/4501 traffic that was destined for the GlobalProtect gateway inside the GlobalProtect tunnel, the firewall still processed the traffic, which caused routing loops.

Fixed a memory leak issue related to a process (useridd) that occurred when processing high amount of HIP reports as well as a memory leak issue related to the sslvpn process that occurred when the firewall was configured as a GlobalProtect satellite.

Fixed an issue where the negative time difference between the dataplane and the management plane during the client certificate info check prevented the GlobalProtect client from connecting to the GlobalProtect gateway with the following error message: Required client certificate not found.

A fix was made to address an issue where certain invalid URL entries contained in an External Dynamic List (EDL) caused the devsrvr process to stop responding (CVE-2021-3048).

Fixed an issue where a process (dnsproxyd) stopped responding due to an error in the DNS cache operation.

Fixed an issue where SSL VPN memory leaked when the default browser for SAML authentication on GlobalProtect was not enabled.

Fixed an issue where scheduled configuration export files saved in the /tmp folder in root were not periodically purged, which caused the root partition to fill up.

Fixed an issue where the firewall rejected SAML Assertions, which caused user authentication failure when the Validate Identity Provider Certificate was enabled in the SAML Server Profile in vsys3 or above.

Fixed an issue with HTTP Header Insertion where the payload was truncated when processing a segmented TCP stream and when the client retransmitted the packet with the same sequence number that was previously received segmented.

Adds additional debugging to be used in identifying the malformed references causing process crashes during FQDN refresh.

Fixed an issue where random DNS queries dropped with the counter ctd_dns_wait_pkt_drop when DNS security was enabled.

A fix was made to address an improper handling of exception conditions in the PAN-OS dataplane that enabled an unauthenticated network-based attacker to send specifically crafted traffic through the firewall that caused the service to crash (CVE-2021-3053).

Fixed an issue where the firewall returned the following error message when attempting to request a device certificate using a one-time password (OTP): invalid ocsp response sig-alg.

Fixed a memory leak on the management server process on Firewall.

A buffer overflow vulnerability in the Telnet-based administrative management service included with PAN-OS software allows remote attackers to execute arbitrary code.

A fix was made to address a buffer overflow vulnerability in the Telnet-based administrative management service included with PAN-OS that allowed a remote attacker to execute arbitrary code (CVE-2020-10188).

Fixed an issue with missing zone entries in CSV or PDF export files.

Fixed an issue where the firewall dropped GPRS tunneling protocol (GTPv2) Create Session Requests and Responses that had IEs 201 and 202 with the error Abnormal GTPv2-C message with invalid IE.

Fixed an issue where HIP custom checks for plist failed when the HIP exclusion category were configured under (Mobile User Template > Network > GlobalProtect > Portal<portal-config> > Agent<agent-config> > HIP Data Collection).

(PA-5200 Series firewalls only) Fixed an intermittent issue where multicast packets traversing the firewall in VLAN configurations experienced higher drop rates than expected.

Fixed an issue where, when stateless GTP-U traffic hit a multi-dataplane firewall, an inter-dataplane fragmentation loop occurred, which caused high dataplane resource usage.

Fixed a packet buffer issue where HTTP2 packets were held for category lookup and the HTTP request was across multiple packets.

A fix was made to address an issue where a cryptographically weak pseudo-random number (PRNG) was used during authentication to the PAN-OS interface. As a result, attackers with the capability to observe their own authentication secrets over a long duration on the firewall had the ability to impersonate another authenticated web interface administrator’s session (CVE-2021-3047).

(PA-3200 Series firewalls only) Fixed an issue where the HA1-B port remained down after an upgrade from PAN-OS 9.1.4 to later 9.1 releases and from PAN-OS 10.0.0 to PAN-OS 10.0.4.

Fixed an issue with SSLVPN memory leaks related to the GlobalProtect portal Config Selection Criteria.

Fixed an issue where GlobalProtect users got disconnected after modifying floating IP HA configuration.

Fixed an issue that caused a process (useridd) core dump when parsing the Subject Alternative Name from a client certificate sent in the HIP report.

Fixed an issue with HIP matching logic for missing patches where previous behavior indicated missing patches when no patches were missing.

Fixed an issue where a process (mgmtsrvr) stopped responding and was inaccessible through SSH or HTTPS until the firewall was power cycled.

Fixed an issue where auto-commits failed for VM-Series firewalls bootstrapped with new content installation during bootstrap. The firewalls displayed the following error message: Details:Error: Undefined application <application-name>.

Fixed an issue where the firewall displayed the URL Filtering Safe Search Block Page on the specific site only, even when the traffic was matched to a specific rule that did not have any URL filtering policies.

Fixed an issue where the per-minute resource monitor was three minutes behind.

CLI commands were added to address an issue where virtual memory on a process (configd) exceeded the new 32G limit.

• To disable the virtual memory limit, use debug software disable-virt-limit.
• To enable the virtual memory limit, use debug software enable-virt-limit.

Fixed a rare issue where TCP packets randomly dropped due to reassembly failure.

Fixed an issue where the firewall was unable to create a new GTP-U session when it received Create Session Response messages, which caused the following error message to display in the GTP log: GTPv1 message failed stateful inspection.

(VM-Series firewalls on Microsoft Hyper-V only) Fixed an issue where, when upgrading to PAN-OS 9.0.8 or later, ethernet packets dropped after adding VLAN tags during egress from a subinterface. To leverage this fix, set the interface level maximum transmission unit (MTU) to 1496 or less.

Fixed an issue where a process (logrcvr) continuously restarted at pan_hash_iter_next_i.

Fixed an issue where the firewall repeatedly logged connection failures to a configured Log Collector.

Fixed an issue where authentication logs with the subtype SAML were not forwarded to the syslog server.

Fixed a memory leak issue with a unified query that caused a process (mprelay) to restart due to an out-of-memory (OOM) condition.

A fix was made to address a reflect cross-site scripting (XSS) vulnerability in the PAN-OS web interface that enabled an authenticated network-based attacker to mislead another authenticated PAN-OS administrator to click on a specially crafted link that performed arbitrary actions in the web interface as the targeted authenticated administrator (CVE-2021-3052).

Fixed an issue where Elasticsearch restarted unexpectedly when it ran out of memory. This was due to the vm.max-map-count value being set incorrectly in the newer version of Elasticsearch (starting from PAN-OS 9.0). With this fix, the value is set correctly.

A fix was made to address an issue where an improper authentication vulnerability enabled a Security Assertion Markup Language (SAML) authenticated user to impersonate any user in the GlobalProtect portal and GlobalProtect gateway when they were configured to use SAML authentication (CVE-2021-3046).

A fix was made to address a memory corruption vulnerability in the GlobalProtect Clientless VPN that enabled an authenticated attacker to execute arbitrary code with root user privileges during SAML authentication (CVE-2021-3056).

Fixed an issue where, when SIP traffic traversing the firewall was sent with a high QoS Differentiated Services Code Point (DSCP) value, the DSCP value was reset to the default setting (CS0).

Checks were added to help prevent the dataplane from restarting.

A fix was made to address an issue where an OS command argument injection vulnerability in the PAN-OS web interface enabled an authenticated administrator to read any arbitrary file from the file system (CVE-2021-3045).

Fixed an issue where, in two separate but simultaneous sessions, the same software packet buffer was owned and processed.

Fixed an issue where memory allocation failure caused a process (pan_comm) to restart several times, which caused the firewall to restart.

Fixed an issue where driver descriptor rings were out of sync in the control plane to dataplane direction, which caused internal path monitoring heartbeat failures.

Fixed an issue where the firewall was unable to log debug information in case of kernel panic.

Fixed an issue where multiple daemons restarted due to a management plane ARP overflow.

A fix was made to address a time-of-check to time-of-use (TOCTOU) race condition in the PAN-OS web interface that enabled an authenticated administrator with permission to upload plugins to execute arbitrary code with root user privileges (CVE-2021-3054).

Fixed an issue where configuration commits failed due to the dataplane running out of memory in policy cache allocation.

Fixed an issue where DNS proxy TCP connections were processed incorrectly, which caused a process (dnsproxy) to stop responding.

Fixed an issue where GlobalProtect users were unable to connect to mobile gateways when download of a large CRL failed due to timeouts that resulted in CRL check failures.

Fixed an issue on Panorama appliances in an active/passive HA configuration where a managed firewall generated high priority alerts that it failed to connect to the passive Panorama appliance's User-ID agent server. This issue occurred because the firewall was only able to connect to one Panorama User-ID server at a time, and it connected only to the active Panorama appliance's User-ID server.

(PA-5200 Series firewalls only) Fixed an intermittent issue where internal path monitoring failed, which caused the firewall to unexpectedly restart.