Ivanti Product Security Update Advisory

Overview

An update has been released to address vulnerabilities in Ivanti products. Users of the affected versions are advised to update to the latest version.

 

Affected Products

 

CVE-2024-9380, CVE-2024-9381

  • Ivanti Cloud Services Appliance (CSA) versions: ~ 5.0.1 (inclusive)

 

CVE-2024-7612

  • Ivanti EPMM (Core) versions: ~ 12.1.0.3 (inclusive)

 

CVE-2024-9167

  • Velocity License Server versions: 5.1 (inclusive) ~ 5.1.2 (inclusive)

 

 

Resolved Vulnerabilities

 

OS command injection vulnerability in the management web console (CVE-2024-9380)

Vulnerability that could allow remote authenticated attackers with administrator privileges to bypass restrictions via path traversal (CVE-2024-9381)

Insecure privileges could allow an authenticated local attacker to access or modify sensitive configuration files without proper authorization (CVE-2024-7612)

Vulnerability where insecure privileges could allow a locally authenticated attacker to achieve local escalation of privileges (CVE-2024-9167)

 

Vulnerability Patches

 

The following product-specific Vulnerability Patches have been made available in the latest update. If you are using an affected version, Please follow the instructions on the Referenced Sites to update to the latest Vulnerability Patches version.
 

 

CVE-2024-9380, CVE-2024-9381

  • Ivanti Cloud Services Appliance (CSA) version: 5.0.2

 

CVE-2024-7612

  • Ivanti EPMM (Core) version: 12.1.0.4, 12.1.0.5

 

CVE-2024-9167

  • Velocity License Server version: 5.2

 

 

References

[1] Security Advisory Ivanti Cloud Services Application (CSA) (CVE-2024-9379, CVE-2024-9380, CVE-2024-9381)

https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-CSA-Cloud-Services-Appliance-CVE-2024-9379-CVE-2024-9380-CVE-2024-9381?language=en_US

[2] Security Advisory Ivanti Endpoint Manager Mobile (EPMM) (CVE-2024-7612)

https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2024-7612?language=en_US

[3] Security Advisory Velocity License Server (CVE-2024-9167)

https://forums.ivanti.com/s/article/Security-Advisory-Velocity-License-Server-CVE-2024-9167?language=en_US