Ivanti Pulse Engineering teams are investigating these vulnerabilities. For results of the investigations and, further details refer to the chart below.
| Product | Description | Impacted | Remediation |
| Pulse Secure Virtual Traffic Manager | Although the affected library is present and used, the affected function is not used. | Not Affected | N/A |
| Pulse Secure Services Director |
It may be possible for an attacker to use a specially crafted certificate to trigger this issue in the SSH server (via certificate-based authentication).
Administrators can trigger this by updating the server certificate with a specially crafted certificate.
| 21.1R1 and, below | Upgrade to 21.1R2 |
| Pulse Secure Web Application Firewall | . | Under Investigation | Under Investigation |
| Pulse Connect Secure |
This vulnerability will show up when parsing certificates regardless of the type of certificate the server is expecting to receive (I.E. RSA, Elliptic Curve, etc..).
Case 1:When an attacker sends a maliciously crafted certificate and certain conditions are met for the user authentication, or authorization process
that would require the PCS server to attempt to read the certificate.
Case 2:When the PCS acts as the client in connecting to another server and, the server uses a maliciously crafter certificate for the TLS negotiation.
| 9.1R14 and, below | Upgrade to 9.1R14.1 or 9.1R13.2 (*See below for more version info) |
| Ivanti Connect Secure (ICS) |
| 21.12R1.0 and, below | Upgrade to 22.1R1.0(*See below for more version info) |
| Pulse Policy Secure |
This vulnerability will show up when parsing certificates regardless of the type of certificate the server is expecting to receive (I.E. RSA, Elliptic Curve, etc..).
Case 1 : End User Radius Client attacking PPS server using a crafted client certificate when EAP/TLS authentication is used
Case 2: PPS can be compromised when it deals with any external complementary TLS service which uses compromised/crafted server certificate
| 9.1R14 and, below | Upgrade to 9.1R14.1 (*See below for more version info) |
| Pulse Desktop Client | This would be a secondary attack after a complex attack where, an attacker is able to get client machines with the PDC to attempt to connect to their server. If successful the impact would be user machine restarts. | 9.1R14 and, below | Upgrade to 9.1R15
(*See below for more info) |
| Pulse Mobile Client | | Under Investigation | Under Investigation |
| Pulse One | This vulnerability will show up when parsing certificates that contain elliptic curve public keys | 2.0.2104 and, Below | Upgrade to 2.0.2201 |
| Pulse ZTA | | Under Investigation | Under Investigation |
| Ivanti Neurons for ZTA | | Under Investigation | Under Investigation |
| Ivanti Neurons for secure Access | | Under Investigation | Under Investigation |
*Additional Notes: To gather any of the upgrade versions for remediation mentioned above, go to the Licensing and Download section at
https://my.pulsesecure.net.
- 9.1R15 For PCS has been released and is available in the Licensing and, Download section at
https://my.pulsesecure.net- 9.1R14.1 For PCS has been released and is available in the Licensing and, Download section at
https://my.pulsesecure.net.
- 9.1R13.2 For PCS has been released and is available in the Licensing and, Download section at
https://my.pulsesecure.net - 22.1R1.0 For ICS has been released and is available in the Licensing and, Download section at
https://my.pulsesecure.net- 9.1R15 For Pulse Desktop client has been released and is available in the Licensing and, Download section at
https://my.pulsesecure.net 
