CVE-2022-0011

PAN-OS: URL Category Exceptions Match More URLs Than Intended in URL Filtering

Description

PAN-OS software provides options to exclude specific websites from URL category enforcement and those websites are blocked or allowed (depending on your rules) regardless of their associated URL category. This is done by creating a custom URL category list or by using an external dynamic list (EDL) in a URL Filtering profile. When the entries in these lists have a hostname pattern that does not end with a forward slash (/) or a hostname pattern that ends with an asterisk (*), any URL that starts with the specified pattern is considered a match. Entries with a caret (^) at the end of a hostname pattern match any top level domain. This may inadvertently allow or block more URLs than intended and allowing more URLs than intended represents a security risk. For example: example.com will match example.com.website.test example.com.* will match example.com.website.test example.com.^ will match example.com.test You should take special care when using such entries in policy rules that allow traffic. Where possible, use the exact list of hostname names ending with a forward slash (/) instead of using wildcards. PAN-OS 10.1 versions earlier than PAN-OS 10.1.3; PAN-OS 10.0 versions earlier than PAN-OS 10.0.8; PAN-OS 9.1 versions earlier than PAN-OS 9.1.12; all PAN-OS 9.0 versions; PAN-OS 8.1 versions earlier than PAN-OS 8.1.21, and Prisma Access 2.2 and 2.1 versions do not allow customers to change this behavior without changing the URL category list or EDL.

Remediation

Solution:

  • PAN-OS 8.1.21, PAN-OS 9.1.12, PAN-OS 10.0.8, PAN-OS 10.1.3, Prisma Access 3.0 Preferred, and Prisma Access 3.0 Innovation all include a customer configurable option to automatically append a forward slash at the end of the hostname pattern for entries without an ending token in a custom URL category list or in an external dynamic list (EDL). Prisma Access customers should refer to “STEP 7” in the following Prisma Access 3.0 documentation to enable this feature: https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-panorama-admin/prepare-the-prisma-access-infrastructure/prisma-access-service-infrastructure/enable-the-service-infrastructure.html For other PAN-OS appliances, this option is enabled by running these CLI commands: debug device-server append-end-token on commit force Note: This option is disabled by default on PAN-OS 8.1, PAN-OS 9.1, PAN-OS 10.0, and PAN-OS 10.1. This option will be enabled by default starting with the next major version of PAN-OS. This option is not available on PAN-OS 9.0. Customers with PAN-OS 9.0 are advised to apply workarounds or upgrade to PAN-OS 9.1 or a later version. Additionally, customers must evaluate their custom URL category list or their external dynamic list (EDL) and any firewall policy rules that depend on them to determine whether this option provides the desired policy rule enforcement. Example 1: If the firewall policy rule is intended to allow only 'www.example.com' and not to allow access to any other site, such as www.example.com.webiste.test, then use the "debug device-server append-end-token on" CLI command. Example 2: If the firewall policy rule is set to block access to 'www.example.co' and block access to sites such as www.example.com, www.example.co.az, then keep the default setting ("debug device-server append-end-token off" CLI command). You should always use the most appropriate token if you need to match multiple hostnames in a policy rule.

Workaround:

  • Add a forward slash (/) at the end of the hostname pattern for all entries in the custom URL category list or the external dynamic list (EDL). For example: example.com/ will not match example.com.website.test

Category

6.5
CVSS
Severity: Medium
CVSS 3.1 •
CVSS 2.0 •
EPSS 0.51%
Vendor Advisory paloaltonetworks.com
Affected: Palo Alto Networks PAN-OS
Affected: Palo Alto Networks Prisma Access
Published at:
Updated at:

References

Link Tags
https://security.paloaltonetworks.com/CVE-2022-0011 mitigation vendor advisory

Frequently Asked Questions

What is the severity of CVE-2022-0011?
CVE-2022-0011 has been scored as a medium severity vulnerability.
How to fix CVE-2022-0011?
To fix CVE-2022-0011: PAN-OS 8.1.21, PAN-OS 9.1.12, PAN-OS 10.0.8, PAN-OS 10.1.3, Prisma Access 3.0 Preferred, and Prisma Access 3.0 Innovation all include a customer configurable option to automatically append a forward slash at the end of the hostname pattern for entries without an ending token in a custom URL category list or in an external dynamic list (EDL). Prisma Access customers should refer to “STEP 7” in the following Prisma Access 3.0 documentation to enable this feature: https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-panorama-admin/prepare-the-prisma-access-infrastructure/prisma-access-service-infrastructure/enable-the-service-infrastructure.html For other PAN-OS appliances, this option is enabled by running these CLI commands: debug device-server append-end-token on commit force Note: This option is disabled by default on PAN-OS 8.1, PAN-OS 9.1, PAN-OS 10.0, and PAN-OS 10.1. This option will be enabled by default starting with the next major version of PAN-OS. This option is not available on PAN-OS 9.0. Customers with PAN-OS 9.0 are advised to apply workarounds or upgrade to PAN-OS 9.1 or a later version. Additionally, customers must evaluate their custom URL category list or their external dynamic list (EDL) and any firewall policy rules that depend on them to determine whether this option provides the desired policy rule enforcement. Example 1: If the firewall policy rule is intended to allow only 'www.example.com' and not to allow access to any other site, such as www.example.com.webiste.test, then use the "debug device-server append-end-token on" CLI command. Example 2: If the firewall policy rule is set to block access to 'www.example.co' and block access to sites such as www.example.com, www.example.co.az, then keep the default setting ("debug device-server append-end-token off" CLI command). You should always use the most appropriate token if you need to match multiple hostnames in a policy rule.
Is CVE-2022-0011 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2022-0011 is being actively exploited. According to its EPSS score, there is a ~1% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2022-0011?
CVE-2022-0011 affects Palo Alto Networks PAN-OS, Palo Alto Networks Prisma Access.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.