CVE-2021-22893, CVE-2021-22894, CVE-2021-22899 can be mitigated by importing the Workaround-2104.xml file.Impact:
XML File disables the following features under PCS appliance.
- Windows File Share Browser
- Pulse Secure Collaboration
We are using the blacklisting feature to disable the URL-Based Attack.
- XML file is the zipped format, please unzip and then import the XML file.
- Import of this XML into any one node of a Cluster is enough.
Customers can download and import the file under the following location:
Go to Maintenance > Import/Export > Import XML. Import the file.
- This disables the Pulse Collaboration & Windows File Share browser functionality.
- If there is a load balancer in front of the PCS, this may affect the Load Balancer.
- If your load balancer is using round-robin or using HealthCheck.cgi or advanced healthcheck.cgi, it will not be affected.
Disable the Windows File Browser and Pulse Collaboration on the Admin UI following the steps below,
- Navigate to User > User Role > Click Default Option >> Click on General
- Under the Access Feature, make sure the "Files, Window" & "Meetings" options are not checked.
- Go to Users > User Roles
- Click on each role in turn and ensure under the Access Feature of each role, the File, Windows & Meetings options are not enabled.
|There is no need to reboot or restart services under the Pulse Secure Appliance.|
The URIs are as follows in case you want to block them at your network edge using an inline load balancer doing SSL decryption:
This is only possible if there is an inline load balancer that does SSL decryption. NOTE:
When you apply the 9.1R11.4 release fix, please remove the workaround with the following steps:
- Importing the attached file remove-workaround-2104.xml (found in the same download location as the Workaround-2104.xml Download (Download Center at https://my.pulsesecure.net))
- Restore the previous settings for "Files, Windows" & "Meetings".
- Workaround-2014.xml does not work 9.0R1 - 9.0R4.1 or 9.1R1-9.1R2. If your PCS is running one of these versions, upgrade before doing the import.
- The workaround is not recommended for a license server. We recommend minimizing who can connect to a license server. For example, place a license server on a management VLAN, or have a firewall enforce source-IP restrictions.