Ivanti has it released 27 fixes for various vulnerabilities reported in the Q1 2024 release. None of the vulnerabilities are actively exploited, according to the vendor.
The company recommends users download the Avalanche installer and update it to the latest version of Avalanche 6.4.3, which, in turn, will apply all the fixes listed in the update.
Each of the vulnerabilities has a CVSS score, ranging from 4.3, a vulnerability that could allow an authenticated, remote attacker to view sensitive information in memory, to 9.8, a heap overflow vulnerability in the WLAvalancheService portion of Avalanche, prior to the release 6.4. 3, which allows a remote attacker to execute commands without authentication.
Ivanti urges its users to ensure that the MSSQL database password is readily available because it does not store the password. Users can download Avalanche 6.4.3 version via Ivantialong with information on the next steps to take.