Since the announcement of CVE-2022-0778 by the OpenSSL project most of our systems that handle client certificates (FreeRADIUS, OpenVPN, ...) have been updated to mitigate this potential DoS. The new OpenSSL packages for these systems were available within hours after the announcement which probably means this was coordinated with the OpenSSL project.
However we've yet to find any information regarding this issue from Pulse Secure/Ivanti. We heavily use client/machine certificates for authentication and would like to know if Pulse Connect Secure is impacted and, if that's the case, when patches will be released.
For good measure we've also created a ticket with our VAR so they can take it up directly with Pulse Secure/Ivanti and we're keeping an eye on the security announcements and knowledge base articles.
Solved! Go to Solution.
Just performed the upgrade to 9.1r14.1 and it seems to have gone well.
What concerns us is the silence from Pulse Secure/Ivanti about this. All of our other systems had their updated packages ready to go within hours after the announcement while just being ordinary Ubuntu servers (although we do pay support to Canonical as we believe no-one should work for free if you expect some sort of commitment).
From previous Pulse Secure KB's it looks to me that the PCS product does use OpenSSL in some way or form and I think it'd be rather important for them to jump on this if they actually use it for cert parsing. If they build OpenSSL from source the patch is literally just this.
On top of this I also hope Pulse Secure/Ivanti have some sort of support contract with OpenSSL which would probably give them a heads up when high severity issues like this are being worked on so they could investigate or prepare before the public announcement. I would be dumbfounded if they couldn't spare the change for something like this considering the cost of their products for their customers.
Finally some movement from Pulse Secure/Ivanti around this CVE.
Any news regarding this issue?
It appears that the KB will be updated this week:
March 28th - Remaining product investigation is still ongoing and being treated as our top priority. More updates will be provided this week as we continue our internal investigations.
Pulse Connect Secure version 9.1r14.1 which includes a patch has been released.