Reset Search



KB44249 - FAQ about Pulse Secure Virtual Traffic Manager (vTM) being impacted to Bleichenbacher's Oracle (ROBOT attack)

« Go Back


Last Modified Date8/21/2019 8:52 PM
Problem or Goal
Question 1: Is Pulse Secure Virtual Traffic Manager vulnerable to Bleichenbacher's Oracle (ROBOT attack)?
Answer: No. All supported releases of vTM (10.4r3, 17.2r2, 17.4 18.1, 18.2, 18.3r1 , 19.1, 19.2) are not vulnerable to Bleichenbacher's Oracle (ROBOT attack).

Question 2: A security scan report is stating the vTM is vulnerable. How is this possible?
Answer: Some possible reasons for this:
  • Website is not hosted on the vTM.
  • There is another network element (SSL proxy, DPI firewall) between equipment that is used to perform the security scan and vTM
  • Security scan was performed with measurement error

Question 3: I am not convinced. Can I have a second opinion?
Answer: Yes. There is an official python tool to test ROBOT attack vulnerability at

Question 4: Python tool says "not vulnerable", but audit report says "vulnerable". What now?
Answer: First, check that scan/measurement was done for the correct host, and there are no SSL network elements in front of vTM. Second, try to ask your auditor about how scan is performed. One particularly common error is to (incorrectly) assume that any SSL server that supports RSA is always vulnerable to Bleichenbacher's Oracle (ROBOT attack). If that is the case for the scan report you have received, and there is no recourse with auditor, you can disable all RSA ciphers on the vTM, by, for example, setting System > Global > SSL Configuration > ssl!cipher_suites to: "TLS_AES_128_GCM_SHA256 TLS_AES_256_GCM_SHA384". Note that this will severely impact compatibility with older browsers and clients.
Related Links
Attachment 1 
Created ByAndy Chernyak



Was this article helpful?



Please tell us how we can make this article more useful.

Characters Remaining: 255