Reset Search
 

 

Article

SA40100 - [Pulse Secure] December 3rd 2015 OpenSSL Security Advisory

« Go Back

Information

 
Product AffectedAll products could be potentially affected
Problem
On December 3rd, 2015 the OpenSSL project announced a group of new security advisories. These issues may affect Pulse Secure products. The OpenSSL advisory can be found at the following link: https://openssl.org/news/secadv/20151203.txt

Pulse Secure is currently investigating the new issues that have been reported.

We are investigating the following issues:
BN_mod_exp may produce incorrect results on x86_64 (CVE-2015-3193)
Certificate verify crash with missing PSS parameter (CVE-2015-3194)
X509_ATTRIBUTE memory leak (CVE-2015-3195)
Race condition handling PSK identify hint (CVE-2015-3196)
Solution
Pulse Secure is currently investigating the new issues that have been reported.

 

BN_mod_exp may produce incorrect results on x86_64 (CVE-2015-3193)
 
Pulse Connect Secure:Not vulnerable
Pulse Policy Secure:Not vulnerable
Pulse (Desktop) client (Windows & OS X):Not vulnerable
Pulse Mobile (Android):Tentative for Mid-August
Pulse Mobile (iOS):Not vulnerable
Network Connect (Linux):Not vulnerable
Network Connect (Mac OS X):Not vulnerable
Network Connect FIPS (Windows):Not vulnerable
Network Connect (Windows):Not vulnerable
SBR Enterprise:Not vulnerable
Pulse Workspace:Not vulnerable

 

Certificate verify crash with missing PSS parameter (CVE-2015-3194)
 
Pulse Connect Secure:Resolved in 8.2R1.1
Resolved in 8.1R8
Resolved in 8.0R15
Pulse Policy Secure:Resolved in 5.3R1.1
Pulse (Desktop) client (Windows & OSX):Resolved in 5.2R2
Resolved in 5.1R8
Resolved in 5.0R15
Pulse Mobile (Android)Tentative for Mid-August
Pulse Mobile (iOS):Tentative for Mid-August
Network Connect FIPS (Windows):Not vulnerable
Network Connect (Windows, Mac and Linux):Not vulnerable
Pulse Workspace:Under investigation
SBR Enterprise:Under investigation


X509_ATTRIBUTE memory leak (CVE-2015-3195)
 
Pulse Connect Secure:Resolved in 8.2R1.1
Resolved in 8.1R8
Resolved in 8.0R15
Pulse Policy SecureResolved in 5.3R1.1
Pulse (Desktop) client (Windows and OSX):Not vulnerable
All Pulse Mobile (Android & iOS):Not vulnerable
Network Connect (Linux):Not vulnerable
Network Connect (Mac OS X):Not vulnerable
Network Connect FIPS (Windows):Not vulnerable
Network Connect (Windows):Not vulnerable
SBR EnterpriseUnder investigation
Pulse WorkspaceNot vulnerable



Race condition handling PSK identify hint (CVE-2015-3196)

All products have been cleared with exception of SBR and Pulse Workspace.


Document History:

December 3rd 2015 - Initial publication
December 19th 2015 - Product status updates made
February 11th 2016 - Added releases dates for Pulse Connect Secure (PCS) & Pulse Desktop
February 22nd 2016 - Added tentative date for 8.0R15 for PCS
Workaround
Implementation
Related Links
CVSS Score
Risk Assessment
Acknowledgements
Alert TypeSA - Security Advisory
Risk LevelMedium
Attachment 1 
Attachment 2 
Legacy ID

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255