Pulse and OpenSSL vulnerabilities CVE-2022-3602 and CVE-2022-3786

Hi All -

OpenSSL released information about two HIGH vulnerability CVE’s (initially CRITICAL but since downgraded). Do we know if Pulse and its toolsets are exposed to CVE-2022-3602 or CVE-2022-3786?

OpenSSL’s Security Advisory URL: https://www.openssl.org/news/secadv/20221101.txt

Hi @zachary.allin ,

The above question will also depends on a number of external factors like if the Pulse server is behind a Web server - and SSL has been configured from there. On this case, it will depend on what SSL engine is being used by the front-web server.

Overal, Pulse’ Tomcat server deployment is using JSSE by default and not OpenSSL.



Thanks @plim! We’re using the default Pulse config, fronted by an AWS ALB so I think we’re all good. We were concerned about what might’ve been running under the hood of the “Pulse Application Server” and other Windows Services, but thanks for the clarification!