SA40210 - [Pulse Secure] Information disclosure possible on admin UI (CVE-2016-4791)

An information disclosure issue was discovered on the Pulse Connect Secure device. This issue exists on the administrative user interface and requires admin level access. Because of the required admin access the risk of the issue is limited and may not be a problem for most organizations. This issue was assigned: CVE-2016-4791.

When exploited this issue could allow file discovery and file reading on the device. It could also allow an admin to access devices and services through the system through server side request forgery (SSRF). 

This issue was responsibly reported to Pulse Secure by a security researcher. 

Pulse Secure is not aware of any public exploitation of this issue. 

This issue is resolved in PCS 8.2r1, 8.1r2, 8.0r9, and 7.4r13.4. 

Software downloads can be located on our support site: https://my.pulsesecure.net

There are no work arounds for this issue. The only way to resolve the issue is to upgrade to a fixed release of software. 

This vulnerability was discovered and responsibly reported to the vendor by Anton Rager from the Salesforce.com Product Security Team.