Reset Search
 

 

Article

SA44193 - 2019-06: Out-of-Cycle Advisory: Multiple Linux Kernel and FreeBSD vulnerabilities

« Go Back

Information

 
Product Affected
Problem
On June 17 2019, Netflix announced a group of new security advisories related to Linux Kernel and FreeBSD. These issues may affect Pulse Secure products. For a list of supported software versions, please refer to our EOL Policy

The Netflix advisory can be found at the following link: https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md
Solution
Pulse Secure is currently evaluating the following issue reported by Netflix.
  • SACK Panic (CVE-2019-11477)
  • SACK Slowness or Excess Resource Usage (CVE-2019-11478)
  • SACK Slowness the RACK TCP Stack (CVE-2019-5599)
  • Excess Resource Consumption Due to Low MSS Values (CVE-2019-11479)

Affected Products:

Pulse Secure is currently investigating all products below to determine which products may be affected by these vulnerabilities and the impact on all supported software versions. Since the investigation is on-going, we suggest to subscribe to this advisory as this document will be periodically updated with the latest status.

SACK Panic (CVE-2019-11477)
7.5 High CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
 
Pulse Connect SecureResolved in 9.1R3 (Tentative for Q4)
Resolved in 9.0R5 (Tentative for end of August)
Pulse Policy SecureResolved in 9.1R3 (Tentative for Q4)
Resolved for 9.0R5 (Tentative for end of August)
Pulse OneUnder review
Pulse Secure vADCResolved in vTM 19.2
Hotfixes available for vTM 17.2 and 18.x
SACK Slowness or Excess Resource Usage (CVE-2019-11478)
5.3 Medium CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
 
Pulse Connect SecureVulnerable
Pulse Policy SecureVulnerable
Pulse OneUnder review
Pulse Secure vADCResolved in vTM 19.2
Hotfixes available for vTM 17.2 and 18.x

SACK Slowness the RACK TCP Stack (CVE-2019-5599)
5.3 Medium CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
 
Pulse Connect SecureNot vulnerable
Pulse Policy SecureNot vulnerable
Pulse One    Under review
Pulse Secure vADCNot vulnerable
Excess Resource Consumption Due to Low MSS Values (CVE-2019-11479)
5.3 Medium CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
 
Pulse Connect SecureResolved in 9.1R3 (Tentative for Q4)
Resolved for 9.0R5 (Tentative for end of August)
Pulse Policy SecureResolved in 9.1R3 (Tentative for Q4)
Resolved for 9.0R5 (Tentative for end of August)
Pulse One    Under review
Pulse Secure vADCResolved in vTM 19.2
Hotfixes available for vTM 17.2 and 18.x

Document History:
June 19, 2019 - Initial publication & added details for Pulse Secure vADC and CVSS Score
July 22, 2019 - Updated tentative timelines for Pulse Connect Secure and Pulse Policy Secure
August 13, 2019 - Updated information on fixed release for Pulse Secure vADC

LEGAL DISCLAIMER
  • THIS ADVISORY IS PROVIDED ON AN “AS IS” BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.  USE OF THIS INFORMATION FOUND IN THIS ADVISORY OR IN MATERIALS LINKED HEREFROM IS AT THE USER’S OWN RISK.  PULSE SECURE RESERVES THE RIGHT TO CHANGE OR UPDATE THIS ADVISORY AT ANY TIME.
  • A STANDALONE COPY OR PARAPHRASE OF THE TEXT OF THIS ADVISORY THAT OMITS THE DISTRIBUTION URL IS AN UNCONTROLLED COPY AND MAY OMIT IMPORTANT INFORMATION OR CONTAIN ERRORS.  THE INFORMATION IN THIS ADVISORY IS INTENDED FOR END USERS OF PULSE SECURE PRODUCTS.
Workaround
Implementation
Related Links
CVSS Score
Risk Assessment
Acknowledgements
Alert Type 
Risk Level 
Attachment 1 
Attachment 2 
Legacy ID

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255