Ivanti Connect Secure Security Advisory SA-45520
At Ivanti, we are committed to delivering innovative, high quality and secure solutions for our customers. We collaborate with the broader security ecosystem to share intelligence and appreciate when we are made aware of issues via responsible disclosure from reputable sources.
It is via a responsible disclosure that we recently learned of new vulnerabilities impacting selected versions of the following Ivanti secure access products:
- Ivanti Connect Secure (ICS) versions 9.1R16.1 and below and 22.2R1 and below,
- Ivanti Policy Secure (IPS) versions 9.1R16.1 and below and 22.2R1 and below,
- Ivanti Neurons for Zero Trust Access (ZTA) Gateway versions 22.2R1 and below,
- Ivanti Neurons for Secure Access versions 22.2R1 and below.
We are reporting the vulnerabilities as CVE-2022-35254 & CVE-2022-35258. Details can be found here: https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA45520/?kA23Z000000GH5OSAW
We have already patched the issues in selected versions of PCS and ICS on 11 October. More information and access to the downloads can be found in this Knowledge Base article. Ivanti Neurons for Secure Access was patched in our hosted environment on 9 October.
Patches for IPS and ZTNA Gateway will be issued in the next general release planned for later in Q4 2022.
We have no evidence of any customers having been impacted by these new vulnerabilities. To fully protect your organization, we recommend upgrading to Ivanti Connect Secure to an applicable dot release to address the vulnerabilities. There are no other mitigations available.
Our Support team is always here to help our customers and partners should they have any questions. Cases can be logged via the Support portal (login credentials required).