Ivanti has released patches for new DoS vulnerabilities that affect Ivanti Connect Secure and Ivanti Policy Secure, some of the vulnerabilities could lead to execution of arbitrary code or information disclosure. Four vulnerabilities have been discovered and patched in all supported versions of Ivanti Connect Secure and Ivanti Policy Secure.
The four vulnerabilities are CVE-2024-21894 and CVE-2024-22053, which are heap overflow vulnerabilities, CVE-2024-22052 is a null pointer dereference vulnerability and CVE-2024-22023 is an XEE vulnerability. All four vulnerabilities can be triggered by an unauthenticated attacker sending specially requests to crash the service or cause resource exhaustion. if certain conditions are met, the heap overflow vulnerabilities could allow the attacker to execute code or contents from memory.
Read More: Ivanti vows to transform its security operating model, reveals new vulnerabilities