SA40161 - [Pulse Secure] glibc getaddrinfo stack-based buffer overflow (CVE-2015-7547)

A buffer over flow issue was found in the glibc library. This issue was originally publicized via this post: https://googleonlinesecurity.blogspot.com/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html

Pulse Secure has completed our investigation.  We were able to determine the following products are not affected:

• Pulse Secure (Desktop) client (Windows / Mac OS X)
• Network Connect (Windows / Mac OS X)
• Pulse Mobile (Android / iOS)

Below are the affected products and the tentative release dates:

Pulse Connect Secure
Only 8.1RX, 8.2RX and above are vulnerable.  Previous versions are not vulnerable. This issue will be resolved in:

• 8.1R8
• 8.2R2

Pulse Policy Secure
Only 5.1RX, 5.2RX, 5.3RX and above are vulnerable.  Previous versions are not vulnerable. This issue will be resolved in:

• 5.1R8
• 5.2R6 (tentative for mid-April)
• 5.3R2

Linux Network Connect
Users should update the affected glibc packages provided by their Linux distro. The Network Connect client itself is not vulnerable as we utilize the system's glibc libraries.

Pulse One/WorkSpaces
Under investigation


Document History:

February 25, 2016 - Added applicable versions for PCS and PPS and tentative release dates.
April 7, 2016 - Updated tentative date for PPS 5.2R6