Solution | Last Update: 10.00 a.m. June 25th 2014 Pacific Daylight Savings.
OpenSSL MITM vulnerability (CVE-2014-0224) is resolved in the following releases:
- Pulse Connect Secure Version 8.0R4.1 and Pulse Secure Desktop Version 5.0R4.1
- Additional issues below are resolved in this release:
- CVE-2014-0198 SSL_MODE_RELEASE_BUFFERS NULL pointer dereference
- CVE-2010-5298 SSL_MODE_RELEASE_BUFFERS session injection or denial of service
- CVE-2014-3470 Anonymous ECDH denial of service - Please note that Secure Access is not vulnerable, but the patches were implemented.
- Pulse Connect Secure 7.4R11.1 and Pulse Secure Desktop Version 4.0R11.1
- Additional issues below are resolved in this release:
- CVE-2014-0198 SSL_MODE_RELEASE_BUFFERS NULL pointer dereference
- CVE-2010-5298 SSL_MODE_RELEASE_BUFFERS session injection or denial of service
- CVE-2014-3470 Anonymous ECDH denial of service - Please note that Secure Access is not vulnerable, but the patches were implemented.
- Pulse Connect Secure 7.1R19.1
- Please note, the server side is not vulnerable. 7.1r19.1 will be made available to address the Linux Network Connect clients. For Pulse Secure Desktop clients, please use the Pulse Secure Desktop 5.0r4.1 or 4.0r11.1 releases.
** - For Virtual Appliance (VA) SPE and DTE versions download and upgrade the PCS software to apply the fix.
** - Network Connect for Mac OS X leverages the openssl version installed on Mac OS X. Please note that the vulnerability (OpenSSL MITM vulnerability (CVE-2014-0224)) can only be exploited if both server and client are vulnerable to this issue. In the event if only one of the two is vulnerable, there is no risk of exploitation. Hence patching the server side will help mitigate the issue.
** - For Core Access / Rewriter 8.0r4.1 and 7.4r11.1 addresses the server side fixes and for client side please refer to your Browser vendor. However, the vulnerability (OpenSSL MITM vulnerability (CVE-2014-0224)) can only be exploited if both server and client are vulnerable to this issue. In the event if only one of the two is vulnerable, there is no risk of exploitation. Hence patching the server side will help mitigate the issue.
Clients on Mobile Platforms *** :
- Pulse Secure Mobile for iOS (FIPS) versions is resolved in 5.0r6
- Pulse Secure Mobile for Android versions is resolved in 5.0r6
*** - Please note that the vulnerability (OpenSSL MITM vulnerability (CVE-2014-0224)) can only be exploited if both server and client are vulnerable to this issue. In the event if only one of the two is vulnerable, there is no risk of exploitation. Hence patching the server side will help mitigate the issue. |
|
---|