The purpose of this email is to address three security issues that affect the Pulse Connect Secure (PCS). Pulse Secure has confirmed fixes for all of these issues in our General Access (GA) software today. The first issue involves a fix for an OpenSSL vulnerability, the second addresses a Red Hat Security Advisory and the third provides a fix for a Cross Site Scripting problem that was identified during a security audit of the PCS. Pulse Secure is recommending that you upgrade your PCS at this time to the latest build of the PCS OS. These security issues affect customers using all versions of the PCS OS. However, it is important to note that there have been no reports of PCS compromises to the PCS. Summary of Issue(s)
- OpenSSL - CAN-2003-10131, a security concern, relating to an extension of a "Bleichenbacher attack"
- Red Hat Security Advisory, RHSA-2003:089-00, to address vulnerabilities in RPC XDR.
- Cross-Site Scripting - Pulse Secure has learned of a potential session hijacking vulnerability in the PCS via a cross-site scripting attack. A possibility does exist that these issues can be exploited to compromise the system.