The solution for this issue is to update the endpoint machine with a fixed version of the impacted Pulse Secure client software. To know which updated client software to deploy, please consult the following table, which shows which software you should deploy depending on what clients are installed on your endpoint machines.
| If the below client is installed: | Then deploy this version (or later)
to resolve the issue: | Expected Release
Date | Notes (if any) |
|---|
| Pulse Secure Desktop Client 5.2rX | Pulse Secure Desktop Client 5.2r4.1
(#787) | Available Now | ** Users running Pulse Secure Desktop version 5.2R3, 5.2R3.1 or 5.2R4 please refer footnote below. |
| Pulse Secure Desktop Client 5.1rX | Pulse Secure Desktop Client 5.1r9.1
(#61697) | Available Now | |
| Pulse Secure Desktop Client 5.0rX | Pulse Secure Desktop Client 5.0r15.1
(#61501) | Available Now | |
| Odyssey Access Client 5.6rX | Odyssey Access Client 5.6r18
| Available Now | |
| Pulse Secure Installer Service 8.2rX | Pulse Secure Installer Service 8.2r4.1
(#48335) | Download EXE
Download MSI | |
| Pulse Secure Installer Service 8.1rX | Pulse Secure Installer Service 8.1r9.1
(#48255) | Download EXE
Download MSI | |
| Juniper Installer Service 8.0rX | Juniper Installer Service 8.0r15.1
(#48271) | Download EXE
Download MSI | |
| Juniper Installer Service 7.4rX | Juniper Installer Service 8.0r15.1
(#48271) | Download EXE
Download MSI | |
|
Pulse Collaboration 8.2rX
(formerly known as Secure Meeting)
| Pulse Secure Installer Service 8.2r4.1
(#48335) | Download EXE
Download MSI | Required only if the client is installed using administrator privileges |
|
Pulse Collaboration 8.1rX
(formerly known as Secure Meeting)
| Pulse Secure Installer Service 8.1r9.1
(#48255) | Download EXE
Download MSI | Required only if the client is installed using administrator privileges |
| Secure Meeting 8.0rX | Juniper Installer Service 8.0r15.1
(#48271) | Download EXE
Download MSI | Required only if the client is installed using administrator privileges |
| Secure Meeting 7.4rX | Juniper Installer Service 8.0r15.1
(#48271) | Download EXE
Download MSI | Required only if the client is installed using administrator privileges |
**Footnote: End-users running Only the Pulse Secure Desktop client (version 5.2R3, 5.2R3.1 or 5.2R4) are not impacted by this vulnerability as this issue is fixed in those three and any higher versions of the Pulse Secure Desktop client. However if you are running Pulse Secure Desktop and also the Standalone Installer Service client on the same endpoint then you may still be impacted by this issue and the recommended solution is to upgrade to Pulse Secure Desktop Client 5.2r4.1 (#787)
Frequently Asked Questions (FAQ):
Question 1: I have both the Pulse Secure Desktop client and the Standalone Installer Service client installed on my machine. Do I need to upgrade both products?
Answer: No upgrading both clients is not necessary. On each endpoint it is possible to remedy all your affected client products simply by patching only one of the Pulse Secure clients.The recommended upgrade path is you must upgrade the client software that is of the latest minor version (highlighted in RED below). For example:
- If you have Pulse Secure desktop client 5.2RX and Installer Service 8.1RX (or earlier) installed, then you would need to upgrade only the Pulse Secure Desktop Client in order to patch both products with a single upgrade.
- If you have Pulse Secure desktop client 5.1RX (or earlier) and Installer Service 8.2RX installed, then you would need to upgrade only the Installer Service client in order to patch both products with a single upgrade.
- If your Pulse Secure desktop client and Installer Service are at the same minor version (e.g., 5.2 & 8.2, or 5.1 & 8.1, or 8.0 & 5.0, respectively), then you can upgrade either one, and both will be fixed.
Question 2: I have multiple clients at the same minor version installed. Which client should I upgrade to fix all affected clients?
Answer: The recommended order of preference is:
- Pulse Secure Desktop Client
- Odyssey Access Client
- Pulse Secure (Juniper) Installer Service
For example:
- If you have the Pulse Secure Desktop Client and either the Odyssey Access Client or the standalone Installer Service, then the recommended remediation path is to upgrade the Pulse Secure Desktop client.
Question 3: I neither use the Pulse Secure Desktop client nor the Odyssey Access Client. I use Network Connect, Host Checker and have the standalone Installer Service client along with it. How do I fix the vulnerable Standalone Installer Service client ?
Answer: Install the appropriate patched Standalone Installer Service client bundle to the client machine, as listed in the table above.
Question 4: How do I deploy the patched Pulse Secure Desktop clients to my endpoints?
Answer: If you intend to deploy a patched Pulse Secure Desktop Client, upload the client bundle to your PCS or PPS gateway, configure it as the active version, and have your end users connect to the gateway. The Pulse Secure Desktop Client will auto-upgrade upon connection. Alternatively, you could distribute the Pulse Secure Desktop Client to your endpoints through an out-of-band software-distribution mechanism like SMS. For details, refer to Pulse Secure Desktop admin guide about Upgrading Pulse Secure Client.
Question 5: How do I deploy the patched Installer Service clients to my endpoints?
Answer: Currently the only option to upgrade installer Service Client is by distributing the patched Standalone Installer Service client to your endpoints through an out-of-band software-distribution mechanism like SMS or by providing the client package to your end-user by other means.
Note: The Standalone Installer service client package is available in two format (exe and msi). If you have a previous version of the Installer Service installed, then you can invoke the Installer Service ".exe" file as a restricted user. The ".exe" version of the Installer Service will communicate with the existing Installer Service and essentially bootstrap itself without requiring administrative privileges. But if you instead invoke the Installer Service ".msi" file, then you must be an administrative user.
Question 6: Are there new PCS/PPS server packages available? Do I need them to fix the vulnerability?
Answer: Pulse Secure, LLC intends to offer upgraded versions of
Upgrading your server versions is not necessary to fix the security vulnerability on your endpoint machines. This is a client side issue for Pulse Secure Installer Service client, Pulse Secure Collaboration, Odyssey Access client and the Pulse Secure Desktop Client. However, one advantage of upgrading your PCS gateway is that users of PCS 8.1 and later will have the option of having the Installer Service auto-upgrade when clients are upgraded upon connection. For example, if you upgrade to the upcoming 8.1r9.1 PCS gateway release, and your restricted users connect to the gateway with Network Connect, the Installer Service will auto-upgrade along with the Network Connect software. (This Installer Service auto-upgrade functionality is not present in PCS 8.0 and earlier.)
Question 7: What clients are impacted by this vulnerability?Answer: All Windows OS (Windows 10, Windows 7, etc) endpoints that are running an affected version of Pulse Secure Desktop Client, Pulse Secure Collaboration, Odyssey Access Client or Installer Service client are susceptible to this issue.
Question 8: How do I find the current version of client running on my machine?Answer:
A. For Pulse Secure Desktop, Pulse Secure Collaboration and Odyssey Access client, the version information can be found within the application using select
Help >
About.
B. And for the Standalone Installer Service client, version information will be stated in the versionInfo.ini file in the following directories:
- C:\Program Files(x86)\Juniper Networks\Installer Service\
- C:\Program Files(x86)\Pulse Secure\Installer Service\
The first two digits major release (8.1). The third digit is the minor release (R4). In this example, the version would be 8.1R4.
Question 9: On any endpoint machine how do I confirm if I am impacted by this issue?Answer:
You can confirm this using
DisplayVersion information in the versionInfo.ini file in the following directories:
- For 8.1/5.1 and earlier clients (and also in the Odyssey Access Client), the location is:
C:\Program Files(x86)\Common Files\Juniper Networks\JUNS
- For 8.2/5.2 and later clients, the location is:
C:\Program Files(x86)\Common Files\Pulse Secure\JUNS
If the
DisplayVersion is 5.2.4.787 or later, 5.1.9.61697 or later, 5.0.15.61501 or later, or 5.1.103.X or later, the client is not vulnerable. However any older versions indicate that the client is impacted by this issue.
Question 10: How do I upgrade Odyssey Access client to resolve this vulnerability?Answer: Download a fixed version (5.6R18 or higher) of the Odyssey Access client available from the Licensing & Download Center at
https://my.pulsesecure.net and deploy this client using a software management tool like SCCM or SMS or using any other client software distribution solution that was previously used to deploy the OAC client.
Question 11: How do I upgrade Pulse Secure Collaboration client to resolve this vulnerability?Answer: For Pulse Collaboration customers who do not use Pulse Secure Desktop or Pulse Secure Installer Service, the recommendation is to upgrade the PCS gateway to patched version. An alternative solution is to install a patched version of Pulse Installer Service.
Question 12: I do not use the affected clients anymore. Can I uninstall them to fix the vulnerability instead of upgrading?Answer: Yes. If you do not use any of the vulnerable client components (listed above), then you may uninstall them to mitigate the risk of the vulnerability. However, you must ensure that all impacted client components are uninstalled.
Document history:
July 24th, 2016 -- Initial document posted
July 28th, 2016 -- Tentative date change for OAC release
August 3rd, 2016 -- PCS 8.2R4.1, PCS 8.1R9.1, PPS 5.3R4.1 and Odyessy 5.6R18 released
