Reset Search
 

 

Article

JSA10647 - 2014-09 Security Bulletin: Junos Pulse Secure Access Service (SSL VPN): Clickjacking issue (CVE-2014-3823)

« Go Back

Information

 
Product AffectedThis issue can affect all: PCS700, PCS2000, PCS2500, PCS4000 FIPS, PCS4000, PCS4500 FIPS, PCS4500, PCS6000 FIPS, PCS6000, PCS6500 FIPS, PCS6500, MAG2600 PCS, MAG4610 PCS.
Problem
A clickjacking issue has been found in the Pulse Connect Secure product. 'X-Frame-Options' has been added to defend against this type of attack. The attack could take place against authenticated or unauthenticated pages on the SSL VPN.

Pulse Secure PSIRT is not aware of any malicious exploitation of this vulnerability.

No other Pulse Secure products or platforms are affected by this issue.

This issue has been assigned CVE-2014-3823.
Solution
The issue is fixed in PCS releases: 8.0r8, 7.4r13.4, and 7.1r22.2, and all subsequent releases.

[UPDATE] An earlier fix for this issue was found to be incomplete. The versions stated above contain the complete fix that will resolve this issue.
Workaround
There is no workaround for this issue. An upgrade to a fixed version of software is required.
Implementation
Related Links
CVSS Score4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
Risk Assessment
Acknowledgements
Alert TypeSA - Security Advisory
Risk LevelMedium
Attachment 1 
Attachment 2 
Legacy IDJSA10647

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255