Security Alert (A24-04-04): Multiple Vulnerabilities in Ivanti Products


 

Published on: 05 April 2024

  
  

Description:

Ivanti has released a security advisory to address multiple vulnerabilities in Ivanti products. Detailed information about the vulnerabilities can be found at:
https://forums.ivanti.com/s/article/SA-CVE-2024-21894-Heap-Overflow-CVE-2024-22052-Null-Pointer-Dereference-CVE-2024-22053-Heap-Overflow-and-CVE-2024-22023-XML-entity-expansion-or-XXE-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways

 

Affected Systems:

  • Ivanti Connect Secure versions 9.x, 22.x
  • Ivanti Policy Secure versions 9.x, 22.x

For detailed information of the affected systems, please refer to the corresponding security advisory at vendor's website.

 

Impact:

Successful exploitation of the vulnerabilities could lead to remote code execution, denial of service or information disclosure on an affected system.

 

Recommendation:

Patches for affected systems are now available. System administrators of affected systems should follow the recommendations provided by the vendor and take immediate actions to mitigate the risk.

 

More Information:

  • https://forums.ivanti.com/s/article/SA-CVE-2024-21894-Heap-Overflow-CVE-2024-22052-Null-Pointer-Dereference-CVE-2024-22053-Heap-Overflow-and-CVE-2024-22023-XML-entity-expansion-or-XXE-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways
  • https://www.hkcert.org/security-bulletin/ivanti-products-multiple-vulnerabilities_20240405
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21894
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-22023
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-22052 (to CVE-2024-22053)


Tag: Ivanti , Ivanti Connect Secure , Ivanti Policy Secure
Tags