Hi All -
OpenSSL released information about two HIGH vulnerability CVE’s (initially CRITICAL but since downgraded). Do we know if Pulse and its toolsets are exposed to CVE-2022-3602 or CVE-2022-3786?
OpenSSL’s Security Advisory URL: https://www.openssl.org/news/secadv/20221101.txt
Hi @zachary.allin ,
The above question will also depends on a number of external factors like if the Pulse server is behind a Web server - and SSL has been configured from there. On this case, it will depend on what SSL engine is being used by the front-web server.
Overal, Pulse’ Tomcat server deployment is using JSSE by default and not OpenSSL.
Cheers!
Paul
Thanks @plim! We’re using the default Pulse config, fronted by an AWS ALB so I think we’re all good. We were concerned about what might’ve been running under the hood of the “Pulse Application Server” and other Windows Services, but thanks for the clarification!