Products
Solutions
Partners
Support
Company
Try Now
Pulse Secure Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

impact of OpenSSL CVE-2022-0778 on Pulse Connect Secure products

SOLVED
Go to solution
bylie
Occasional Contributor
‎03-17-2022 01:18:AM
‎03-17-2022 01:18:AM

impact of OpenSSL CVE-2022-0778 on Pulse Connect Secure products

Since the announcement of CVE-2022-0778 by the OpenSSL project most of our systems that handle client certificates (FreeRADIUS, OpenVPN, ...) have been updated to mitigate this potential DoS. The new OpenSSL packages for these systems were available within hours after the announcement which probably means this was coordinated with the OpenSSL project.

 

However we've yet to find any information regarding this issue from Pulse Secure/Ivanti. We heavily use client/machine certificates for authentication and would like to know if Pulse Connect Secure is impacted and, if that's the case, when patches will be released.

For good measure we've also created a ticket with our VAR so they can take it up directly with Pulse Secure/Ivanti and we're keeping an eye on the security announcements and knowledge base articles.

1 ACCEPTED SOLUTION

Accepted Solutions
bylie
Occasional Contributor
‎04-01-2022 11:59:AM
‎04-01-2022 11:59:AM

Re: impact of OpenSSL CVE-2022-0778 on Pulse Connect Secure products

Just performed the upgrade to 9.1r14.1 and it seems to have gone well.

View solution in original post

7 REPLIES 7
zanyterp
Moderator
Moderator
‎03-17-2022 10:20:AM
‎03-17-2022 10:20:AM

Re: impact of OpenSSL CVE-2022-0778 on Pulse Connect Secure products

i think the ticket is the best way to look at this; thank you for taking that step.
0 Kudos
bylie
Occasional Contributor
‎03-17-2022 12:04:PM
‎03-17-2022 12:04:PM

Re: impact of OpenSSL CVE-2022-0778 on Pulse Connect Secure products

What concerns us is the silence from Pulse Secure/Ivanti about this. All of our other systems had their updated packages ready to go within hours after the announcement while just being ordinary Ubuntu servers (although we do pay support to Canonical as we believe no-one should work for free if you expect some sort of commitment).

 

From previous Pulse Secure KB's it looks to me that the PCS product does use OpenSSL in some way or form and I think it'd be rather important for them to jump on this if they actually use it for cert parsing. If they build OpenSSL from source the patch is literally just this.

 

On top of this I also hope Pulse Secure/Ivanti have some sort of support contract with OpenSSL which would probably give them a heads up when high severity issues like this are being worked on so they could investigate or prepare before the public announcement. I would be dumbfounded if they couldn't spare the change for something like this considering the cost of their products for their customers.

0 Kudos
bylie
Occasional Contributor
‎03-18-2022 01:30:AM
‎03-18-2022 01:30:AM

Re: impact of OpenSSL CVE-2022-0778 on Pulse Connect Secure products

Finally some movement from Pulse Secure/Ivanti around this CVE.

Liranh
Visitor
‎03-26-2022 11:41:PM
‎03-26-2022 11:41:PM

Re: impact of OpenSSL CVE-2022-0778 on Pulse Connect Secure products

Any news regarding this issue?

0 Kudos
bylie
Occasional Contributor
‎03-30-2022 04:47:AM
‎03-30-2022 04:47:AM

Re: impact of OpenSSL CVE-2022-0778 on Pulse Connect Secure products

It appears that the KB will be updated this week:

 

March 28th - Remaining product investigation is still ongoing and being treated as our top priority.  More updates will be provided this week as we continue our internal investigations.
0 Kudos
bylie
Occasional Contributor
‎04-01-2022 12:43:AM
‎04-01-2022 12:43:AM

Re: impact of OpenSSL CVE-2022-0778 on Pulse Connect Secure products

Pulse Connect Secure version 9.1r14.1 which includes a patch has been released.

bylie
Occasional Contributor
‎04-01-2022 11:59:AM
‎04-01-2022 11:59:AM

Re: impact of OpenSSL CVE-2022-0778 on Pulse Connect Secure products

Just performed the upgrade to 9.1r14.1 and it seems to have gone well.

© 2017 Pulse Secure, LLC. Use of this website assumes acceptance of our Legal Notices and Privacy Policy. Pulse Secure has updated its Privacy Policy effective June 28, 2017.