Glibc DNS Resolver Vulnerability (PAN-SA-2016-0021)

Last revised: 10/18/2016


A vulnerability in the GNU libc (glibc) DNS resolver allows remote code execution (CVE-2015-7547). However, this issue can be exploited only from a DNS server that is under the control of an attacker. (Ref # 91886).

Severity: Low

This glibc issue is only exploitable by an attacker controlling the DNS server configured for the device. Furthermore, the attacker must overcome additional anti-exploitation mitigations, such as ASLR, to mount a successful attack.

Products Affected

PAN-OS 5.0.19 and earlier; PAN-OS 5.1.12 and earlier; PAN-OS 6.0.14 and earlier; PAN-OS 6.1.12 and earlier; PAN-OS 7.0.7 and earlier; PAN-OS 7.1.3 and earlier

Available Updates

PAN-OS 5.0.20 and later; PAN-OS 5.1.13 and later; PAN-OS 6.0.15 and later; PAN-OS 6.1.13 and later; PAN-OS 7.0.8 and later; PAN-OS 7.1.4 and later

Workarounds and Mitigations

This vulnerability can affect PAN-OS software only when the device is configured with a DNS server that is under the control of an attacker. Palo Alto Networks discourages configuring the device with untrusted DNS servers.