As many of you will probably already have seen in the news over the past few days OpenSSL has announced a critical fix in the upcoming OpenSSL v3.0.7 release. As the warning of a critical fix seems to have put everyone in the industry on edge some vendors have started with publishing a little bit more information about the internal investigations and potential impact on their products:
Is Pulse Secure/Ivanti doing the same internal investigations and are they able to publish the same preliminary announcements about the impact on their products (without revealing any details before the end of the embargo)? My hope is that, because only OpenSSL v3 seems to be impacted, there are no immediate threats for the current versions of Connect Secure but I can't seem to find any mention of used OpenSSL versions in that product so we cannot be sure of course.
It seems a couple of the more recent attribution documents for the PCS 9.1R14+ releases seem to mention the use of OpenSSL 1.0.1h and OpenSSL 1.0.2n, which both are quite old and EoL, but at least OpenSSL 1.0.2 seems to still be supported by premium support of the OpenSSL project:
"Provides extended support for LTS releases (including 1.0.2) beyond the public EOL date for as long as it remains commercially viable to do so."
Not a definitive answer of course but might be an indication that OpenSSL v3+ is currently not being used in the PCS products and we might be off the hook regarding the upcoming critical fix.
Confirmation from Ivanti/Pulse Secure that there are no impacted products.