A reflected XSS vulnerability was recently identified on the Zscaler Trust Portal (Trust.Zscaler.com). The Zscaler Trust Portal is a publicly accessible website and does not host sensitive information. Zscaler would like to thank Pankaj Rane for responsibly disclosing the vulnerability and working with us to ensure that it was properly patched in a timely manner.
Zscaler provides transparency around service availability and changes to our customers. Please refer to Zscaler’s service continuity customer notification policy for details.
Incident:ResolvedPosted on: February 13, 2018 | 18:01 UTC
Incident:ResolvedPosted on: January 06, 2018 | 23:20 UTC
Zscaler has continued its evaluation of the Meltdown and Spectre Vulnerabilities and posted the assessment and actions in a pair of blog articles:
How Zscaler is protecting customers:
How Zscaler is securing its cloud:
Action required: If you are running any Zscaler private infrastructure software - ZPA connectors, NSS, VZEN, ZAB - it is your responsibility to update HOST OS and hypervisors to prevent exploitation of guest VMs by other VMs or code running on host.
Incident:ResolvedPosted on: January 04, 2018 | 21:30 UTC
Zscaler is aware and is actively following a new publicly disclosed class of vulnerabilities that affect most modern operating systems and processors. Our initial assessment is that this class of vulnerabilities does not pose a serious risk to our cloud infrastructure or the data that we are securing.
As we evaluate Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 & CVE-2017-5715), our top priorities are to keep our cloud running and our customer’s data secure and as such we are taking steps to evaluate and remediate any potential issues caused by these vulnerabilities.
While the scope of this industry-wide vulnerability includes operating systems and hardware in use in our cloud, the critical elements of our infrastructure do not allow attackers to run exploit code.
Nevertheless, we have been and will continue to patch our infrastructure as such patches become available. No additional user or customer action is needed.
Incident:ResolvedPosted on: May 04, 2017 | 2:08 UTC
Update May 4, 2017: We would like to clarify that Zscaler customer data, logs, policy data as well as cloud infrastructure were not impacted by this phishing campaign and do not utilized any Google services or applications.
An aggressive phishing campaign went viral earlier today, which impacted multiple Google users including enterprise Google deployments. A few Zscaler employees also received these phishing e-mails. The campaign involved an unsuspecting user receiving an email with a Google Doc link from one of their known contacts. If the user clicks on the link and further grants access, their contacts would be leveraged to send the same phishing e-mail with a link from the impacted user account.
The attack involved squatted domains that were recently registered and hosting the malicious web app. Zscaler implemented blocks for multiple domains tied to this campaign cloud wide within minutes of initial reports. Google was quick to resolve this issue and has posted official response here.
If you believe you clicked on such an email please go to g.co/SecurityCheckup as advised by Google Security team
Incident:ResolvedPosted on: February 27, 2017 | 18:28 UTC
Zscaler has addressed persistent XSS vulnerabilities identified in admin.zscaler[X].net and mobile.zscaler[X].net portals. The post-auth vulnerabilities would have allowed authenticated admin users to inject client-side content into certain admin UI pages which could impact other admin users of the same company. Zscaler would like to thank Alex Haynes for responsibly reporting the issues and working with Zscaler to ensure that they were properly remediated.
Incident:ResolvedPosted on: January 16, 2017 | 19:01 UTC
We are investigating an issue with traffic processing on our cloud. We will post additional information on this incident as it is available.
Update: 1/16/2017 20:06:49 UTC - This incident has been resolved. Please contact Zscaler Support if you have additional questions.
Incident:ResolvedPosted on: March 14, 2016 | 23:28 UTC
Researchers recently released details of an attack referred to as DROWN, exploiting a cross-protocol security vulnerability in servers supporting TLS and SSL. DROWN is an acronym for "Decrypting RSA with Obsolete and Weakened eNcryption". The DROWN attack can target all services that leverage TLS based encryption and use the SSLv2 protocol, provided they share the same public key credentials between the two protocols. A successful attack will expose the session key for a captured TLS handshake, allowing attackers to decrypt subsequent client-server communications. The Zscaler cloud is NOT susceptible to the DROWN attack as nodes supporting TLS encryption do not use the SSLv2 protocol.
Incident:ResolvedPosted on: May 22, 2015 | 14:19 UTC
Researchers recently released details of an attack referred to as Logjam which involves a Man-in-the-Middle (MitM) attack against Diffie-Hellman key exchange. Due to the fact that many servers and clients still support weak 512-bit export grade cryptography, the researchers have discovered that a successful MitM attack can force a client-server connection to downgrade the level of encryption employed in a TLS connection, which can then be decrypted. The ZScaler cloud is not susceptible to the Logjam attack as nodes supporting TLS encryption do not support DHE_EXPORT ciphers.
Incident:ResolvedPosted on: January 21, 2015 | 19:52 UTC
We are investigating an issue related to certain popular websites being blocked due to a security threat. Our security research team is validating these issues to ascertain if they are false positives.
We will post further updates shortly.
This has been resolved.