Version Minor Version Suggested Solution PAN-OS 11.2 11.2.0 through 11.2.4 Upgrade to 11.2.5 or later PAN-OS 11.111.1.0 through 11.1.7 Upgrade to 11.1.8 or later PAN-OS 11.0 (EoL) Upgrade to a supported fixed versionPAN-OS 10.210.2.13Upgrade to 10.2.13-h5 or 10.2.14 or later  10.2.0 through 10.2.13 Upgrade to 10.2.14 or later PAN-OS 10.1 10.1.0 through 10.1.14Upgrade to 10.1.14-h11 or laterAll other older unsupported PAN-OS versions Upgrade to a supported fixed version.

To be vulnerable, all of the following conditions must be true: * You must have enabled LLDP in your PAN-OS software to be vulnerable to this issue. You can verify whether you have LLDP enabled by following these steps in your web interface: * Select Network > LLDP. * In the LLDP General settings, verify whether LLDP is enabled (checked). * LLDP must be enabled on at least one network interface. You can verify whether you have LLDP enabled on an interface by following these steps in your web interface: * Select Network > LLDP. * Verify if any interfaces are listed * Verify if for any listed interface LLDP is enabled (checked)  * The LLDP profile associated with the an interface must have the "Mode" configured to "transmit-receive" or "receive-only". You can verify the "Mode" in your LLDP profile by following these steps in your web interface: * Select Network > LLDP. * For any interfaces where LLDP is enabled, find the profile associated with it. * Select Network > Network Profiles > LLDP Profile * Select the profile used with the interface * Verify if the "Mode" is set to "transmit-receive" or "receive-only"

Option 1: If you are not using LLDP, you should disable it to mitigate this issue by performing the following steps in your web interface: * Select Network > LLDP. * Open LLDP General settings. * Disable (uncheck) LLDP. Option 2: You can disable LLDP for your network interfaces by performing the following steps in your web interface: * Select Network > Interfaces and select the interface you wish to disable LLDP for. * Select Advanced > LLDP. * Disable (uncheck) LLDP.  Option 3: If you are using LLDP only to advertise information about your PAN-OS device to other neighboring devices, you should set the LLDP mode to transmit-only for the profile used on your network interfaces by performing the following steps in your web interface: * Select Network > Network Profiles > LLDP Profile * Select the profile used with the interface * Set the "Mode" to "transmit-only".

Palo Alto Networks is not aware of any malicious exploitation of this issue.