Reset Search
 

 

Article

SA40423 - January 26, 2017 OpenSSL Security Advisory

« Go Back

Information

 
Product Affected
Problem
On January 26, 2017 the OpenSSL project announced a group of new security advisories. These issues affect all supported versions of Pulse Secure products. For a list of supported software versions, please refer to our EOL policy.

The OpenSSL advisory can be found at the following link: https://www.openssl.org/news/changelog.html.
Solution
Pulse Secure is currently evaluating the following issues reported by OpenSSL:


Truncated packet could crash via OOB read (CVE-2017-3731) 
 
Pulse Connect SecureAffected if RC4 is enabled**
Not affected if RC4 is disabled
Pulse Policy SecureAffected if RC4 is enabled**
Not affected if RC4 is disabled
Pulse Desktop client (Windows & MAC OS X)Tentative for 5.2R8 & 5.1R12
Pulse Mobile (Android)Affected***
Pulse Mobile (iOS) / (FIPS)Not affected
Network Connect / Pulse (Linux)Tentative for 8.2R8 & 8.1R13
Network Connect Windows / macOSNot affected
Network Connect FIPS (Windows)Tentative for 8.2R8 & 8.1R12
SBR EnterpriseUnder Investigation
Odyssey Client (Windows)Under Investigation
** To mitigate this issue, the administrator can disable RC4 on PCS/PPS devices. Please refer to KB30342 - How to disable RC4 cipher suites on a Pulse Connect Secure (PCS) device
*** Applicable to Android 4.4.4 and below only.  Google has disabled RC4 in Android 5.0 and above.

Bad (EC)DHE parameters cause a client crash (CVE-2017-3730)
 
Pulse Connect SecureNot affected
Pulse Policy SecureNot affected
Pulse Desktop client (Windows & MAC OS X)Not affected
Pulse Mobile (Android)Not affected
Pulse Mobile (iOS) / (FIPS)Not affected
Network Connect / Pulse (Linux)Not affected
Network Connect (Mac OS X)Not affected
Network Connect FIPS (Windows)Not affected
SBR EnterpriseUnder Investigation
Odyssey Client (Windows)Under Investigation

BN_mod_exp may produce incorrect results on x86_64 (CVE-2017-3732)​
 
Pulse Connect SecureNot affected
Pulse Policy SecureNot affected
Pulse Desktop client (Windows & MAC OS X)Not affected
Pulse Mobile (Android)Not affected
Pulse Mobile (iOS) / (FIPS)Not affected
Network Connect / Pulse (Linux)Not affected
Network Connect (Mac OS X)Not affected
Network Connect FIPS (Windows)Not affected
SBR EnterpriseUnder Investigation
Odyssey Client (Windows)Under Investigation

Montgomery multiplication may produce incorrect results (CVE-2016-7055)
 
Pulse Connect SecureNot affected
Pulse Policy SecureNot affected
Pulse Desktop client (Windows & MAC OS X)Not affected
Pulse Mobile (Android)Not affected
Pulse Mobile (iOS) / (FIPS)Not affected
Network Connect / Pulse (Linux)Not affected
Network Connect (Mac OS X)Not affected
Network Connect FIPS (Windows)Not affected
SBR EnterpriseUnder Investigation
Odyssey Client (Windows)Under Investigation


Document History:

February 17, 2017 - Updated PCS, PPS, Pulse Mobile and Pulse Desktop impact
February 23, 2017 - Updated Network Connect and Pulse Mobile status
February 28, 2017 - Updated tentative date for CVE-2017-3731 for Network Connect / Pulse Linux client
March 1, 2017 - Updated CVE-2017-3730 status for PCS / PPS
April 6, 2017 - Updated CVE-2017-3731 status for Network Connect FIPS (Windows)
Workaround
Implementation
Related Links
CVSS Score
Risk Assessment
Acknowledgements
Alert Type 
Risk Level 
Attachment 1 
Attachment 2 
Legacy ID

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255