Not SimonApr 3, 2024

I want to get off Mr. Ivanti's wild ride: security advisory for Ivanti Connect Secure and Ivanti Policy Secure: 🔗 https://forums.ivanti.com/s/article/SA-CVE-2024-21894-Heap-Overflow-CVE-2024-22052-Null-Pointer-Dereference-CVE-2024-22053-Heap-Overflow-and-CVE-2024-22023-XML-entity-expansion-or-XXE-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways and blog post: https://www.ivanti.com/blog/security-update-for-ivanti-connect-secure-and-policy-secure

  • CVE-2024-21894 (8.2 high) heap overflow leads to Denial of Service (DoS), and sometimes arbitrary code execution
  • CVE-2024-22052 (7.5 high) null pointer dereference causes DoS
  • CVE-2024-22053 (8.2 high) heap overflow leads to DoS or information disclosure
  • CVE-2024-22023 (5.3 medium) XML entity expansion (XEE) causes a limited-time DoS

We are not aware of any customers being exploited by these vulnerabilities at the time of disclosure.

#Ivanti #ConnectSecure #PolicySecure #vulnerability #CVE_2024_21894 #CVE_2024_22052 #CVE_2024_22053 #CVE_2024_22023

Ivanti Community

Matt WillemsenFeb 3, 2024
All federal civilian agencies ordered to disconnect at-risk Ivanti products by Friday
https://therecord.media/federal-civilian-agencies-ordered-to-disconnect-at-risk-ivanti-products-cisa #Ivanti #risk #ConnectSecure #PolicySecure #CISA #vulnerabilities
All federal civilian agencies ordered to disconnect at-risk Ivanti products by Friday

All federal civilian agencies in the U.S. have been ordered to disconnect Ivanti Connect Secure and Policy Secure products by Friday after more vulnerabilities were found in the tools this week.