This security advisory will be updated as our investigation continues.
Cross-protocol attack on TLS using SSLv2 (DROWN) (CVE-2016-0800)
Pulse Connect Secure | Not Vulnerable** Mitigation for 7.1: From the admin UI, disable SSLv2. |
Pulse Policy Secure | Not Vulnerable |
Pulse Secure Desktop Client (Windows & Mac OS X) | Not Vulnerable |
Pulse Secure Client - iOS | Resolved in 6.0.1 |
Pulse Secure Client - Android | Not Vulnerable |
Pulse WorkSpace / One | Not Vulnerable |
Windows Inbox (Windows 8 and 8.1) | Not Vulnerable |
Network Connect (Windows & Mac) | Not Vulnerable |
Network Connect (Linux) / Pulse Secure (Linux) | Not Vulnerable |
SBR |
Vulnerable**
Mitigation:
SSLv2 can be disabled via configuration minimumProtocolVersion in sbr_administration.xml file
|
Double-free in DSA code (CVE-2016-0705)
Pulse Connect Secure | Not Vulnerable |
Pulse Policy Secure | Not Vulnerable |
Pulse Secure Desktop Client (Windows & Mac OS X) | Not Vulnerable |
Pulse Secure Client - iOS | Resolved in 6.0.1 |
Pulse Secure Client - Android | Resolved in 6.0.1 |
Pulse WorkSpace / One | Not Vulnerable |
Windows Inbox (Windows 8 and 8.1) | Not Vulnerable |
Network Connect (Windows & Mac) | Resolved in 8.2R3 Resolved in 8.1R9 Resolved in 8.0R15 |
Network Connect (Linux) / Pulse Secure (Linux) |
Resolved in 8.2R4
Resolved in 8.1R10 Resolved in 8.0R16 |
SBR | Not Vulnerable |
Memory leak in SRP database lookups (CVE-2016-0798)
Pulse Connect Secure | Not Vulnerable |
Pulse Policy Secure | Not Vulnerable |
Pulse Secure Desktop Client (Windows & Mac OS X) | Not Vulnerable |
Pulse Secure Client - iOS | Resolved in 6.0.1 |
Pulse Secure Client - Android | Resolved in 6.0.1 |
Pulse WorkSpace / One | Not Vulnerable |
Windows Inbox (Windows 8 and 8.1) | Not Vulnerable |
Network Connect (Windows & Mac) | Not Vulnerable |
Network Connect (Linux) / Pulse Secure (Linux) | Not Vulnerable |
SBR | Not Vulnerable |
BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption (CVE-2016-0797)
Pulse Connect Secure | Resolved in 8.2R3 Resolved in 8.1R10 Resolved in 8.0R16 Resolved in 7.4R13.7 |
Pulse Policy Secure | Resolved in 5.3R3 Resolved in 5.2R7 |
Pulse Secure Desktop Client (Windows & Mac OS X) | Not Vulnerable |
Pulse Secure Client - iOS | Resolved in 6.0.1 |
Pulse Secure Client - Android | Resolved in 6.0.1 |
Pulse WorkSpace / One | Not Vulnerable |
Windows Inbox (Windows 8 and 8.1) | Not Vulnerable |
Network Connect (Windows & Mac) | Resolved in 8.2R3 Resolved in 8.1R9 Resolved in 8.0R15 |
Network Connect (Linux) / Pulse Secure (Linux) |
Resolved in 8.2R4
Resolved in 8.1R10 Resolved in 8.0R16 |
Odyssey (Windows) | Not Vulnerable |
SBR | Under Investigation |
Fix memory issues in BIO_*printf functions (CVE-2016-0799)
Pulse Connect Secure | Resolved in 8.2R3 Resolved in 8.1R10 Resolved in 8.0R16 Resolved in 7.4R13.7 |
Pulse Policy Secure | Resolved in 5.3R3 Resolved in 5.2R7 |
Pulse Secure Desktop Client (Windows & Mac OS X) | Resolved in 5.2R3 Resolved in 5.1R9 |
Pulse Secure Client - iOS | Resolved in 6.0.1 |
Pulse Secure Client - Android | Resolved in 6.0.1 |
Pulse WorkSpace / One | Not Vulnerable |
Windows Inbox (Windows 8 and 8.1) | Not Vulnerable |
Network Connect (Windows & Mac) | Resolved in 8.2R3 Resolved in 8.1R9 Resolved in 8.0R15 |
Network Connect (Linux) / Pulse Secure (Linux) |
Resolved in 8.2R4
Resolved in 8.1R10 Resolved in 8.0R16 |
Odyssey (Windows) | Under Investigation |
SBR | Vulnerable |
Side channel attack on modular exponentiation (CVE-2016-0702)
Pulse Connect Secure | Not Vulnerable |
Pulse Policy Secure | Not Vulnerable |
Pulse Connect Secure / Pulse Policy Secure Virtual Appliance (VA) | Vulnerable |
Pulse Secure Desktop Client (Windows & Mac OS X) | Resolved in 5.2R3 Resolved in 5.1R9 |
Pulse Secure Client - iOS | Not Vulnerable |
Pulse Secure Client - Android | Not Vulnerable |
Pulse WorkSpace / One | Not Vulnerable |
Windows Inbox (Windows 8 and 8.1) | Vulnerable |
Network Connect (Windows & Mac) | Resolved in 8.2R3 Resolved in 8.1R9 Resolved in 8.0R15 |
Network Connect (Linux) / Pulse Secure (Linux) |
Resolved in 8.2R4
Resolved in 8.1R10 Resolved in 8.0R16 |
Odyssey (Windows) | Under Investigation |
SBR | Not Vulnerable |
Divide-and-conquer session key recovery in SSLv2 (CVE-2016-0703)
Pulse Connect Secure | Not Vulnerable |
Pulse Policy Secure | Not Vulnerable |
Pulse Secure Desktop Client (Windows & Mac OS X) | Not Vulnerable |
Pulse Secure Client - iOS | Not Vulnerable |
Pulse Secure Client - Android | Not Vulnerable |
Pulse WorkSpace / One | Not Vulnerable |
Windows Inbox (Windows 8 and 8.1) | Not Vulnerable |
Network Connect (Windows & Mac) | Not Vulnerable |
Network Connect (Linux) / Pulse Secure (Linux) | Not Vulnerable |
Odyssey (Windows) | Not Vulnerable |
SBR |
Vulnerable**
Mitigation:
SSLv2 can be disabled via configuration minimumProtocolVersion in sbr_administration.xml file.
|
Bleichenbacher oracle in SSLv2 (CVE-2016-0704)
Pulse Connect Secure | Not Vulnerable** Mitigation for 7.1: From the admin UI, disable SSLv2. |
Pulse Policy Secure | Not Vulnerable |
Pulse Secure Desktop Client (Windows & Mac OS X) | Not Vulnerable |
Pulse Secure Client - iOS | Not Vulnerable |
Pulse Secure Client - Android | Not Vulnerable |
Pulse WorkSpace / One | Not Vulnerable |
Windows Inbox (Windows 8 and 8.1) | Not Vulnerable |
Network Connect (Windows & Mac) | Not Vulnerable |
Network Connect (Linux) / Pulse Secure (Linux) | Not Vulnerable |
Odyssey (Windows) | Not Vulnerable |
SBR |
Vulnerable**
Mitigation:
SSLv2 can be disabled via configuration minimumProtocolVersion in sbr_administration.xml file.
|
Document history:
March 1st, 2016 -- Initial document posted
March 3nd, 2016 -- Updated various products with current status
March 7th, 2016 - Adjustment to CVE-2016-0702 (Applicable only to Virtual Appliances)
March 9th, 2016 - Added additional mitigation for 7.1 for CVE-2016-0704 & CVE-2016-0800
March 30th, 2016 -- Added iOS and Android updates.
April 1st, 2016 - Updated CVE-2016-0703 Mac/Win Pulse Desktop status
April 5th, 2016 - Updated CVE-2016-0705 PCS/PPS status, CVE-2016-0799 PCS/PPS status, CVE-2016-0702 Pulse Desktop, CVE-2016-0702 Pulse Desktop
April 7th, 2016 - Updated CVE-2016-0797 PCS/PPS status
May 5th, 2016 - Added product ETAs to mobile clients
June 27th, 2016 - Added fixed version for Network Connect (Windows & Mac), Network Connect (Linux), and Pulse Secure (Linux)
July 5th, 2016 - Updated ETAs for Pulse Secure Mobile Clients.
August 1st, 2016 - Updated ETAs for Pulse Secure Mobile Clients to Mid-August
August 9th, 2016 - Updated tentative dates for CVE-2016-0797 and CVE-2016-0799