Reset Search
 

 

Article

SA44193 - 2019-06: Out-of-Cycle Advisory: Multiple Linux Kernel and FreeBSD vulnerabilities

« Go Back

Information

 
Product Affected
Problem
On June 17 2019, Netflix announced a group of new security advisories related to Linux Kernel and FreeBSD. These issues may affect Pulse Secure products. For a list of supported software versions, please refer to our EOL Policy

The Netflix advisory can be found at the following link: https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md
Solution
Pulse Secure is currently evaluating the following issue reported by Netflix.
  • SACK Panic (CVE-2019-11477)
  • SACK Slowness or Excess Resource Usage (CVE-2019-11478)
  • SACK Slowness the RACK TCP Stack (CVE-2019-5599)
  • Excess Resource Consumption Due to Low MSS Values (CVE-2019-11479)

Affected Products:

Pulse Secure is currently investigating all products below to determine which products may be affected by these vulnerabilities and the impact on all supported software versions. Since the investigation is on-going, we suggest to subscribe to this advisory as this document will be periodically updated with the latest status.

SACK Panic (CVE-2019-11477)
7.5 High CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
 
Pulse Connect SecureVulnerable
Pulse Policy SecureVulnerable
Pulse OneUnder review
Pulse Secure vADCVulnerable
SACK Slowness or Excess Resource Usage (CVE-2019-11478)
5.3 Medium CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
 
Pulse Connect SecureVulnerable
Pulse Policy SecureVulnerable
Pulse OneUnder review
Pulse Secure vADCVulnerable
SACK Slowness the RACK TCP Stack (CVE-2019-5599)
5.3 Medium CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
 
Pulse Connect SecureNot vulnerable
Pulse Policy SecureNot vulnerable
Pulse One    Under review
Pulse Secure vADCNot vulnerable
Excess Resource Consumption Due to Low MSS Values (CVE-2019-11479)
5.3 Medium CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
 
Pulse Connect SecureVulnerable
Pulse Policy SecureVulnerable
Pulse One    Under review
Pulse Secure vADCVulnerable

Document History:
June 19, 2019 - Initial publication & added details for Pulse Secure vADC and CVSS Score

LEGAL DISCLAIMER
  • THIS ADVISORY IS PROVIDED ON AN “AS IS” BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.  USE OF THIS INFORMATION FOUND IN THIS ADVISORY OR IN MATERIALS LINKED HEREFROM IS AT THE USER’S OWN RISK.  PULSE SECURE RESERVES THE RIGHT TO CHANGE OR UPDATE THIS ADVISORY AT ANY TIME.
  • A STANDALONE COPY OR PARAPHRASE OF THE TEXT OF THIS ADVISORY THAT OMITS THE DISTRIBUTION URL IS AN UNCONTROLLED COPY AND MAY OMIT IMPORTANT INFORMATION OR CONTAIN ERRORS.  THE INFORMATION IN THIS ADVISORY IS INTENDED FOR END USERS OF PULSE SECURE PRODUCTS.
Workaround
Implementation
Related Links
CVSS Score
Risk Assessment
Acknowledgements
Alert Type 
Risk Level 
Attachment 1 
Attachment 2 
Legacy ID

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255