Ivanti Product Security Update Advisory

Overview

 

Ivanti has released a security update to address a vulnerability in their products. users of affected products are advised to update to the latest version.

 

Affected Products

 

Cve-2024-21894, cve-2024-22052, cve-2024-22053, cve-2024-22023 ,cve-2023-46805, cve-2024-21887

• Ivanti Connect Secure 22.x Versions
• Ivanti Connect Secure 9.x version
• Ivanti Policy Secure 22.x Versions
• Ivanti Policy Secure 9.x Versions

 

Resolved Vulnerabilities

 

Heap Overflow Vulnerability in Ivanti Connect Secure and Ivanti Policy Secure (CVE-2024-21894) [2]

Null pointer dereference vulnerability in Ivanti Connect Secure and Ivanti Policy Secure (CVE-2024-22052) [2]

Heap Overflow Vulnerability in Ivanti Connect Secure and Ivanti Policy Secure (CVE-2024-22053) [2]

XML External Entity Expansion (XXE) Vulnerability in Ivanti Connect Secure and Ivanti Policy Secure (CVE-2024-22023) [2]

Command Injection Vulnerability in Ivanti Connect Secure and Ivanti Policy Secure (CVE-2024-21887) [3]

Authentication Bypass Vulnerability in Ivanti ICS and Ivanti Policy Secure (CVE-2023-46805) [3]

 

Vulnerability Patches

 

vulnerability patches have been made available in the latest update. Please follow the instructions on the Referenced Sites to update to the latest Vulnerability Patches version.

 

Cve-2024-21894, cve-2024-22052, cve-2024-22053, cve-2024-22023

• Ivanti Connect Secure versions 22.1R6.2, 22.2R4.2, 22.3R1.2, 22.4R1.2, 22.4R2.4, 22.5R1.3, 22.5R2.4, 22.6R2.3
• Ivanti Connect Secure versions 9.1R14.6, 9.1R15.4, 9.1R16.4, 9.1R17.4, 9.1R18.5
• Ivanti Policy Secure 22.4R1.2, 22.5R1.3, 22.6R1.2 versions
• Ivanti Policy Secure 9.1R16.4, 9.1R17.4, 9.1R18.5 versions

 

Cve-2023-46805, cve-2024-21887

• Ivanti Connect Secure versions 9.1R18.4, 9.1R17.3, 9.1R16.3, 9.1R15.3, 9.1R14.5
• Ivanti Connect Secure versions 22.6R2.2, 22.5R2.3, 22.5R1.2, 22.4R2.3, 22.4R1.1, 22.3R1.1, 22.2R4.1, 22.1R6.1
• Ivanti Policy Secure 9.1R18.4, 9.1R17.3, and later
• Ivanti Policy Secure version 22.5R1.2, 22.4R1.1, 22.6R1.1
• ZTA version 22.5R1.6, 22.6R1.5

 

Referenced Sites

 

[1] https://www.ivanti.com/blog/security-update-for-ivanti-connect-secure-and-policy-secure

[2] https://forums.ivanti.com/s/article/New-CVE-2024-21894-Heap-Overflow-CVE-2024-22052-Null-Pointer-Dereference-CVE-2024-22053-Heap-Overflow-and-CVE-2024-22023-XML-entity-expansion-or-XXE-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US

[3] https://forums.ivanti.com/s/article/CVE-2023-46805-Authentication-Bypass-CVE-2024-21887-Command-Injection-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure-Gateways?language=en_US