KB-2286 Information about the Ivanti Connect Secure and Ivanti Policy Secure security advisories (CVE-2024-46805, CVE-2024-21887, CVE-2024-21888, CVE-2024-21893)

On 10-Jan-2024, Ivanti released a security advisory for all organizations using the Ivanti Connect Secure and Ivanti Policy Secure software. On 12-Jan-2024, CISA released a security advisory, noting that the vulnerabilities identified in the vulnerable Ivanti products have been exploited in the wild. This was followed by a CISA emergency directive on 19-Jan-2024.

Upon assessing the Appian platform against all details of the CVE, we can confirm that the Appian platform is not impacted by the vulnerabilities described in the Ivanti security advisory. We will continue to monitor the situation and provide any updates as appropriate.

Additional Notes

The following CVE was released with additional information on the scope of the vulnerability:

• CVE-2024-46805 (“Ivanti Connect Secure and Policy Secure Authentication Bypass Vulnerability”)
• CVE-2024-21887 (“Ivanti Connect Secure and Policy Secure Command Injection Vulnerability”)
• CVE-2024-21888 (“Ivanti Connect Secure and Ivanti Policy Secure privilege escalation vulnerability”)
• CVE-2024-21893 (“Ivanti Connect Secure and Ivanti Policy Secure server-side request forgery vulnerability”)

Supporting Documentation

• https://www.cisa.gov/news-events/alerts/2024/01/10/ivanti-releases-security-update-connect-secure-and-policy-secure-gateways 
• https://www.cisa.gov/news-events/directives/ed-24-01-mitigate-ivanti-connect-secure-and-ivanti-policy-secure-vulnerabilities 
• https://www.ivanti.com/blog/security-update-for-ivanti-connect-secure-and-ivanti-policy-secure-gateways
  

Affected Versions

This article applies to all supported versions of Appian.

Last reviewed: February 7, 2024