Why am I seeing a large increase with potential false positives for UTID: 38249?
6551
Created On 02/18/22 18:25 PM - Last Modified 04/12/22 23:13 PM
Question
Why am I seeing a large increase with potential false positives for UTID: 38249?
Answer
UTID: 38249 was originally released on 2015-08-25 to provide protection from CVE-2015-1692. This CVE was a critical vulnerability within Internet Explorer 6-11. On 2022-02-03 a revision to the signature was released with Content Update 8523.
Customers are reporting a sharp increase in JS Script being blocked by the firewall as false positives. Palo Alto Networks is researching releasing a 911 release to disable this signature.
If a customer is reporting a false positive for this signature, they can implement a Threat Exception to allow valid traffic. Since this is a vulnerability signature the exception can be pinned down to only trusted IPs. The following document outlines Threat Exceptions.
Create Threat Exceptions
UPDATE: A modified version of UTID 38249 was released in 911 content update Version 8530 on 3/18/2021.
Additional Information
References:
https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2015/ms15-043?redirectedfrom=MSDN
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1692