Home

SA44858 - 9.1R12 Security Fixes

Resolutions for Pulse Connect Secure CVEsIssue: As part of a rigorous code review that we have undertaken in close partnership with industry-leading third-party experts, we have discovered a number of common vulnerabilities and exposures (CVEs) in the Pulse Connect Secure (PCS) system software. 

To our knowledge, none of the CVEs identified in this review have been exploited.  

The table below provides details of the vulnerabilities.

CVEScore(CVSS 3.0)VectorWeaknessDescription
CVE-2021-229379.1AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:HCWE-434

A vulnerability in Pulse Connect Secure before 9.1R12 could allow an authenticated administrator to perform a file write via a maliciously crafted archive uploaded in the administrator web interface. 

CVE-2021-22933 

7.6

AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:H 

CWE-22

A vulnerability in Pulse Connect Secure before 9.1R12 could allow an authenticated administrator to perform an arbitrary file delete via a maliciously crafted web request. 

CVE-2021-22934 

8.0AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:HCWE-120

A vulnerability in Pulse Connect Secure before 9.1R12 could allow an authenticated administrator or compromised Pulse Connect Secure device in a load-balanced configuration to perform a buffer overflow via a malicious crafted web request. 

CVE-2021-22935 

9.1

AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H 

CWE-77

A vulnerability in Pulse Connect Secure before 9.1R12 could allow an authenticated administrator to perform command injection via an unsanitized web parameter. 

CVE-2021-229368.2

AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N 

CWE-79

A vulnerability in Pulse Connect Secure before 9.1R12 could allow a threat actor to perform a cross-site script attack against an authenticated administrator via an unsanitized web parameter. 

CVE-2021-229387.9

AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:L 

CWE-77

A vulnerability in Pulse Connect Secure before 9.1R12 could allow an authenticated administrator to perform command injection via an unsanitized web parameter in the administrator web console. 

Fixes for all the CVEs listed above have been included in the latest version of PCS, 9.1R12, which was released on 2 August 2021. We strongly encourage you to upgrade to ensure your organization is protected.  

In addition to addressing the CVEs, PCS version 9.1R12 includes enhanced features such as the incorporation of our Pulse Security Integrity Checker Tool directly into the product to create a seamless, more secure customer experience. This built-in feature eliminates the need for scheduled downtime to run an integrity check.  

More information on version 9.1R12 can be found in the Product Release Notes and Technical Support Bulletin TSB44856. 

Refer to KB43892 - What releases will Pulse Secure apply fixes to resolve security vulnerabilities? for our End of Engineering (EOE) and End of Life (EOL) policies.

We are grateful to researchers who bring concerns to our attention and would direct any researchers or customers to our Responsible Disclosure Policy. And a special thank you to Richard Warren of the NCC Group for his support in finding CVE-2021-22937.Also we would like to thank the Unisys Security Response team for their contribution as well.