CTX200355
all
Security Bulletin
2016-03-11
2005-06-06
Citrix is aware of recent vulnerability reports that impact Network Time Protocol (NTP) and is actively investigating the potential impact of these ...

Description of Problem

Citrix is aware of recent vulnerability reports that impact Network Time Protocol (NTP) and is actively investigating the potential impact of these issues on Citrix products.?? There are a number of CVEs related to this issue, the current set includes:

  • CVE-2014-9293
  • CVE-2014-9294
  • CVE-2014-9295
  • CVE-2014-9296
The following sections provide some initial guidance to customers on the potential impact of this issue. Please note that this issue is under active analysis and, as such, customers should check back frequently to get the current status of our response.

NetScaler ADC & NetScaler Gateway

By default, NTP is disabled on the NetScaler and, as such, is not vulnerable to CVE-2014-9293, CVE-2014-9294, CVE-2014-9295 and CVE-2014-9296. NTP has recently been upgraded to 4.2.8 which contains the fixes for these vulnerabilities on all supported versions. Customers are advised to upgrade to??

  • NetScaler ADC and NetScaler Gateway 10.1 Build 133.9 or later
  • NetScaler ADC and NetScaler Gateway 10.5 Build 58.11 or later
  • NetScaler ADC and NetScaler Gateway 10.5.e Build 58.1108.e or later
  • NetScaler ADC and NetScaler Gateway 11.0 Build 55.20 or later

to avail these fixes.

??


XenServer

Some XenServer versions may include a version of ntpd that contains the vulnerable code. However, the NTP configuration used by XenServer results in these issues not being exploitable as the relevant functionality cannot be reached by untrusted network traffic.


XenMobile App Controller

A patch for affected versions of Citrix AppController has been released that address this vulnerability. This patch is available on the Citrix website at the following address:

https://support.citrix.comhttp://support.ctx.org.cn/CTX142031.citrix

Citrix recommends that customers using affected versions of App Controller apply this patch to their appliances as soon as their patching schedule allows.


Citrix CloudPlatform

The following versions of Citrix CloudPlatform are impacted by this vulnerability:

  • Citrix CloudPlatform 4.3.x: This vulnerability affects all versions of CloudPlatform up to and including version 4.3.0.2.??
  • Citrix CloudPlatform 4.2.x: This vulnerability affects all versions of CloudPlatform up to and including version 4.2.1-6.??
  • Citrix CloudPlatform 3.0.x: This vulnerability affects all versions of CloudPlatform up to and including?? version 3.0.7 Patch G.??

Citrix CloudPlatform 4.5 is not affected by this vulnerability.

Customers using affected versions of Citrix CloudPlatform should update their SystemVM ISO. Download details and more informaiton on how to update the SystemVM ISO can be found at the following address:?? https://support.citrix.comhttp://support.ctx.org.cn/CTX200459.citrix

In addition to updating the SystemVM ISO, all customers should update their system and router virtual machine templates to the latest version. More information on how to obtain and upgrade these templates is available in the following article:?? https://support.citrix.comhttp://support.ctx.org.cn/CTX200024.citrix


Citrix VDI-In-A-Box

The following versions of Citrix VDI-In-A-Box (VIAB) are impacted by this vulnerability:

Citrix VDI-In-A-Box 5.4.x:?? ?? A new version of VIAB, 5.4.6, has been released to address this vulnerability. This can be found at the following address:?? https://www.citrix.com/downloads/vdi-in-a-box/product-software/vdi-in-a-box-54.html

Citrix VDI-In-A-Box 5.3.x: A new version of VIAB, 5.3.10, has been released to address this vulnerability. This can be found at the following address:?? https://www.citrix.com/downloads/vdi-in-a-box/product-software/vdi-in-a-box-53.html


What Citrix Is Doing

Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at?? /.


Obtaining Support on This Issue

If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at?? http://www.citrix.com/site/ss/supportContacts.asp.??


Reporting Security Vulnerabilities

Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For guidance on how to report security-related issues to Citrix, please see the following document: CTX081743 –?? Reporting Security Issues to Citrix


Changelog

Date Change
January 6th 2015 Initial bulletin publishing
January 12th 2015 Addition of XenServer section
February 2nd 2015 Addition of XenMobile App Controller section
March 4th 2015 Addition of CloudPlatform section
March 18th 2015 Addition of VDI-In-A-Box section
June 18th 2015 Update to VDI-In-A-Box section
March 10th 2016 Update to Netscaler ADC & Netscaler Gateway section

Applicable Products

 

Join the conversation

Citrix Discussions

Open a case

Citrix Support

特别说明


本文来源为Citrix.com所有,翻译后版权归翻译者所有.如需转载请注明出处.

文档版本


.

广告招租


最新留言


.

广告招租


.