Reset Search



KB43597 - Impact of CVE-2017-5753 (Bounds Check bypass, AKA Spectre), CVE-2017-5715 (Branch Target Injection, AKA Spectre) and CVE-2017-5754 (Meltdown) on Pulse Secure Products

« Go Back


Last Modified Date1/6/2018 1:56 AM
This article provides detailed information about the impact of the below three mentioned side-channel attacks on Pulse Secure Products.
  • CVE-2017-5753 (Bounds Check bypass, AKA Spectre)
  • CVE-2017-5715 (Branch Target Injection, AKA Spectre)
  • CVE-2017-5754 (Meltdown) 

Problem or Goal
  • The PSA series, MAG Series, Secure Access X500 series and Infranet Controller X500 series models that host Pulse Connect Secure, Pulse Policy Secure and Pulse One Appliance (on-prem) solutions are not Vulnerable. This issue can only be exploited by software that has local access and the above mentioned products are designed to only allow trusted software provided by Pulse Secure to run on these platforms which effectively mitigates any risk of Side-Channel analysis from these attacks
  • Pulse Secure Virtual Appliances (SPE) may be impacted by this issue depending on the version of the hypervisor i.e. ESXi, KVM, or Hyper-V that hosts the Pulse Secure Virtual Appliance instance. Please check with the respective hypervisor vendor for their recommendations on how to mitigate any risks from these issues
  • Pulse One Cloud solution and Pulse Workspace solution: Both of these cloud-based solutions are not vulnerable to these CVEs
  • vADC (vTM, Services Director, vWAF) Software Installation: May be impacted by this issue only if executing on a platform vulnerable to these side-channel attacks (e.g. operating system).
  • vADC (Services Director) Virtual Appliances: Services Director 18.1 contains the mitigations for the 3 CVEs. May be impacted by this issue only if executing on a platform vulnerable to these side-channel attacks (e.g. hypervisor).
  • vADC (vTM, vWAF) Virtual Appliances and Bare-Metal: vTM versions 10.4r3, 17.2r2 and 18.1 contain mitigations for the 3 CVEs.
    Further information: the meltdown mitigation (KPTI) is to prevent unprivileged processes from accessing arbitrary system wide memory. Mitigations for Spectre variants 1 and 2 do not provide complete protection, they only prevent unprivileged processes from accessing kernel memory, not other applications' memory. Applying this protection to all applications in the OS is waiting on the delivery of patches from the 3rd party OS vendor. Please refer to for additional information on the delivery of the patches from the 3rd party OS vendor.
    The mitigations are recommended for all customers, as an extra layer of protection in case of other vulnerabilities, and they are required by customers running untrusted 3rd party software on the machine.
    The mitigations have a performance impact (i.e. an increase in CPU usage). Customers should evaluate their deployments to see if they are necessary and how much performance is impacted. In vTM KPTI can be disabled in System > Traffic Managers > Advanced Settings > appliance!disable_kpti, and in Services Director both KPTI and spectre mitigations can be disabled with the command line 'ssc kpti [ enable | disable ]' (and 'show kpti' to check).
Related Issue:
  • Pulse Desktop Windows Client: After installing Microsoft Patch KB4056892, end-users that use Pulse Client to initiate the connection may not be able to connect to the PCS/PPS gateway due to Host Checker failures. Please refer to KB43600 for more details and the latest updates on this issue. 
Related Links
Attachment 1 
Created ByRuchit Sheth



Was this article helpful?



Please tell us how we can make this article more useful.

Characters Remaining: 255