Reset Search



JSA10647 - 2014-09 Security Bulletin: Junos Pulse Secure Access Service (SSL VPN): Clickjacking issue (CVE-2014-3823)

« Go Back


Product AffectedThis issue can affect all: PCS700, PCS2000, PCS2500, PCS4000 FIPS, PCS4000, PCS4500 FIPS, PCS4500, PCS6000 FIPS, PCS6000, PCS6500 FIPS, PCS6500, MAG2600 PCS, MAG4610 PCS.
A clickjacking issue has been found in the Pulse Connect Secure product. 'X-Frame-Options' has been added to defend against this type of attack. The attack could take place against authenticated or unauthenticated pages on the SSL VPN.

Pulse Secure PSIRT is not aware of any malicious exploitation of this vulnerability.

No other Pulse Secure products or platforms are affected by this issue.

This issue has been assigned CVE-2014-3823.
The issue is fixed in PCS releases: 8.0r8, 7.4r13.4, and 7.1r22.2, and all subsequent releases.

[UPDATE] An earlier fix for this issue was found to be incomplete. The versions stated above contain the complete fix that will resolve this issue.
There is no workaround for this issue. An upgrade to a fixed version of software is required.
Related Links
CVSS Score4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
Risk Assessment
Alert TypeSA - Security Advisory
Risk LevelMedium
Attachment 1 
Attachment 2 
Legacy IDJSA10647



Was this article helpful?



Please tell us how we can make this article more useful.

Characters Remaining: 255