Reset Search
 

 

Article

SA40161 - [Pulse Secure] glibc getaddrinfo stack-based buffer overflow (CVE-2015-7547)

« Go Back

Information

 
Product AffectedPotentially multiple products
Problem
A buffer over flow issue was found in the glibc library. This issue was originally publicized via this post: https://googleonlinesecurity.blogspot.com/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html
Solution
Pulse Secure has completed our investigation.  We were able to determine the following products are not affected:
  • Pulse Secure (Desktop) client (Windows / Mac OS X)
  • Network Connect (Windows / Mac OS X)
  • Pulse Mobile (Android / iOS)

Below are the affected products and the tentative release dates:

Pulse Connect Secure
Only 8.1RX, 8.2RX and above are vulnerable.  Previous versions are not vulnerable. This issue will be resolved in:
  • 8.1R8
  • 8.2R2

Pulse Policy Secure
Only 5.1RX, 5.2RX, 5.3RX and above are vulnerable.  Previous versions are not vulnerable. This issue will be resolved in:
  • 5.1R8
  • 5.2R6 (tentative for mid-April)
  • 5.3R2

Linux Network Connect
Users should update the affected glibc packages provided by their Linux distro. The Network Connect client itself is not vulnerable as we utilize the system's glibc libraries.

Pulse One/WorkSpaces
Under investigation


Document History:

February 25, 2016 - Added applicable versions for PCS and PPS and tentative release dates.
April 7, 2016 - Updated tentative date for PPS 5.2R6
Workaround
Implementation
Related Links
CVSS Score
Risk Assessment
Acknowledgements
Alert TypeSA - Security Advisory
Risk Level 
Attachment 1 
Attachment 2 
Legacy ID

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255