EPMM Security Update
At Ivanti, transparency is a cornerstone of our commitment to customer security and trust. It is through such transparency that vulnerabilities are swiftly addressed, allowing our customers and the broader ecosystem to take proactive measures to safeguard their environments amidst a rapidly evolving and highly sophisticated threat landscape.
To this end, we are issuing an important security update addressing vulnerabilities associated with open-source libraries used in Ivanti Endpoint Manager Mobile (EPMM). We have provided an FAQ below and in the Security Advisory.
At the time of disclosure, we are aware of a very limited number of customers whose solution has been exploited.
The issue only affects the on-prem EPMM product. It is not present in Ivanti Neurons for MDM, Ivanti’s cloud-based unified endpoint management solution, Ivanti Sentry, or any other Ivanti products.
We urge all customers using the on-prem EPMM product to promptly install the patch.
We have made additional resources and support teams available to assist customers in implementing the patch and addressing any concerns. Detailed information is available in our Security Advisory so that customers can protect their environment.
Thank you to our customers and security partners for their engagement and support, which enabled our swift response to this issue. We remain committed to continuously improving our products and processes through collaboration and transparency with our stakeholders and the broader security ecosystem.
Our Support team is always available to help customers and partners should they have any questions. Cases can be logged via the Success portal (login credentials required).
Want to stay up to date on Ivanti Security Advisories? Paste https://www.ivanti.com/blog/topics/security-advisory/rss into your preferred RSS reader / functionality in your email program.
FAQ
What code is affected? Is it Ivanti’s code?
No. The vulnerabilities are associated with two open-source libraries integrated into EPMM. The use of open-source code is standard practice used by all major technology companies.
Should Ivanti have been able to find these vulnerabilities earlier?
Ivanti is committed to using open-source code responsibly. One of the ways that we do this is by employing enterprise grade software composition analysis tools and SBOMs to identify potential issues in the libraries that we use. At the time of disclosure, CVEs have not been reserved by the maintainer of the libraries for the security issues in the open-source libraries. We are actively working with our security partners and the maintainers of the libraries to determine if a CVE against the libraries is warranted for the benefit of the broader security ecosystem.
Why is Ivanti disclosing an issue in third-party code?
Ivanti values transparency as a means to protect not only our customers but the broader ecosystem. CVEs had not been assigned for the vulnerabilities affecting EPMM associated with open-source libraries when Ivanti reported them.
How can I determine if my system is affected?
The investigation is ongoing and Ivanti does not have reliable atomic indicators at this time. Customers should reach out to our Support Team for guidance.
What actions has Ivanti taken in response to this discovery?
In addition to rapidly and proactively providing a patch, Ivanti has mobilized additional resources and support teams to assist customers and is actively collaborating with security partners, the broader security community and law enforcement. We are also engaging with the maintainers of these open-source libraries.
