Pulse Secure is currently investigating the new issues that have been reported.
Logjam Vulnerability (CVE-2015-4000)
Vulnerable. Fixes are underway:
| Pulse Connect Secure: | Resolved in 8.0R13.
Resolved in 8.1R6. |
| Pulse Policy Secure: | Resolved in 5.0R13.
Resolved in 5.1R6. |
| Pulse(Desktop) client (Windows & MAC OS X): | Resolved in 5.0R12
Resolved in 5.1R5 |
| Pulse Mobile (Android): | Resolved in 5.2R1. |
| Pulse Mobile (iOS): | Resolved in 5.2R1. |
| Network Connect (Linux): | Resolved in 8.1R7
Resolved in 8.0R14
Resolved in 7.4R13
Resolved in 7.1R22.1 |
| Network Connect (Mac OS X): | Resolved in 8.1R5.
Resolved in 8.0R13. |
| Network Connect FIPS (Windows): | Resolved in 8.1R5
Resolved in 8.0R12
Resolved in 7.4R13.5
Resolved in 7.1R22.2 |
| Network Connect (Windows): | Not vulnerable if Microsoft
patch (MS15-055) is applied. |
| SBR Enterprise: | Waiting for confirmation |
| Pulse Workspace: | Vulnerable: Waiting for ETA |
| Win 8.1 In-Box client | Not Vulnerable |
Invalid free in DTLS (CVE-2014-8176)
Not Vulnerable. Pulse Secure products do not use DTLS.
CMS verify infinite loop with unknown hash function (CVE-2015-1792)
Not Vulnerable.
PKCS7 crash with missing EnvelopedContent (CVE-2015-1790)
| Pulse Connect Secure: | Resolved in 8.0R13
Resolved in 8.1R5
Resolved in 7.4R13.5
Resolved in 7.1R22.2 |
| Pulse Policy Secure: | Resolved in 5.0R13
Resolved in 5.1R5 |
| Pulse(Desktop) client (Windows & Mac OS X): | Not Vulnerable |
| Pulse Mobile (Android): | Not Vulnerable |
| Pulse Mobile (iOS): | Not Vulnerable |
| Network Connect FIPS (Windows): | Not Vulnerable |
| Network Connect (Windows, Mac and Linux): | Not Vulnerable |
| Pulse Workspace: | Not Vulnerable |
| SBR Enterprise: | Vulnerable: Waiting for ETA |
Exploitable out-of-bounds read in X509_cmp_time (CVE-2015-1789)
Vulnerable. Fixes are underway:
| Pulse Connect Secure: | Resolved in 8.0R13
Resolved in 8.1R5
Resolved in 7.4R13.5
Resolved in 7.1R22.2 |
| Pulse Policy Secure: | Resolved in 5.0R13
Resolved in 5.1R5 |
| Pulse(Desktop) client (Windows and Mac OS X): | Resolved in 5.0R12
Resolved in 5.1R5 |
| All Pulse Mobile (Android & iOS): | Not Vulnerable |
| Network Connect (Linux): | Resolved in 8.1R7
Resolved in 8.0R14
Resolved in 7.4R13
Resolved in 7.1R22.1 |
| Network Connect (Mac OS X): | Resolved in 8.1R5.
Resolved in 8.0R13. |
| Network Connect FIPS (Windows): | Resolved in 8.1R5
Resolved in 8.0R12
Resolved in 7.4R13.5
Resolved in 7.1R22.2 |
| Network Connect (Windows): | Not Vulnerable |
| SBR Enterprise | Vulnerable. Waiting for ETA |
| Pulse Workspace | Not Vulnerable |
Malformed ECParameters causes infinite loop (CVE-2015-1788)
Vulnerable. Fixes are underway:
| Pulse Connect Secure: | Resolved in 8.0R13
Resolved in 8.1R5
Resolved in 7.4R13.5
Resolved in 7.1R22.2 |
| Pulse Policy Secure: | Resolved in 5.0R13
Resolved in 5.1R5 |
| Pulse (Desktop) client (Windows & Mac OSX): | Resolved in 5.0R12
Resolved in 5.1R5 |
| Pulse Mobile (Android): | Resolved in 5.2R1. |
| Pulse Mobile (iOS): | Resolved in 5.2R1. |
| Network Connect (Linux): | Resolved in 8.1R7
Resolved in 8.0R14
Resolved in 7.4R13
Resolved in 7.1R22.1 |
| Network Connect (Mac OS X): | Resolved in 8.1R5.
Resolved in 8.0R13. |
| Network Connect FIPS (Windows): | Resolved in 8.1R5
Resolved in 8.0R12
Resolved in 7.4R13.5
Resolved in 7.1R22.2 |
| Network Connect (Windows): | Not Vulnerable |
| SBR Enterprise | Vulnerable. Waiting for ETA |
| Pulse Workspace | Not Vulnerable |
Race condition with NewSessionTicket (CVE-2015-1791)
Vulnerable. Fixes are underway:
| Pulse Connect Secure: | Not Vulnerable |
| Pulse Policy Secure: | Not Vulnerable |
| Pulse (Desktop) client (Windows & Mac OS X): | Resolved in 5.0R12
Resolved in 5.1R5 |
| Pulse Secure Mobile (Android): | Resolved in 5.2R1. |
| Pulse Secure Mobile (iOS): | Resolved in 5.2R1 |
| Network Connect (Linux): | Resolved in 8.1R7
Resolved in 8.0R14
Resolved in 7.4R13
Resolved in 7.1R22.1 |
| Network Connect (Mac OS X): | Resolved in 8.1R5.
Resolved in 8.0R13. |
| Network Connect FIPS (Windows) | Resolved in 8.1R5
Resolved in 8.0R12
Resolved in 7.4R13.5
Resolved in 7.1R22.2 |
| Network Connect (Windows) | Not Vulnerable |
| SBR Enterprise | Vulnerable - Waiting for ETA |
| Pulse Workspace | Not Vulnerable |
Document History:
June 10th 2015 - Initial publication
July 8th 2015 9:00 AM PST - Adding tentative ETA information
July 16th 2015 4:00 PM PST - Adding tentative ETA informationAugust 3rd 2015 10:00 AM PST - Adding tentative releases and dates for Network Connect FIPS (Windows), Pulse Secure Mobile for iOS and PCS
August 5th 2015 9:00 PM PST - Adding tentative releases date for 7.1 and 7.4 Network Connect FIPS (Windows)
October 7th 2015 9:00 AM PST - Adding tentative releases date for Pulse Mobile for Android
November 3rd 2015 8:00 AM PST - Added fixed releases for Network Connect (Mac OS X)
Jan 18th 2016 9:00 AM PST - Added fixed releases for Network Connect (Linux)
March 1st 2016 19:00 PST - Added In-Box client information to logjam section.
