Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2015.1359 Citrix Security Advisory for CVE-2015-3456 21 May 2015 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Citrix XenServer Publisher: Citrix Operating System: Citrix XenServer Impact/Access: Execute Arbitrary Code/Commands -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2015-3456 Reference: ASB-2015.0051 ESB-2015.1343 ESB-2015.1326 ESB-2015.1319 ESB-2015.1308 ESB-2015.1307 ESB-2015.1306 ESB-2015.1304 Original Bulletin: http://support.citrix.com/article/CTX201078 - --------------------------BEGIN INCLUDED TEXT-------------------- Citrix Security Advisory for CVE-2015-3456 CTX201078 Created on May 13, 2015 Updated on May 20, 2015 Security Bulletin Severity : High Description of Problem Citrix is aware of the recent vulnerability that has been reported against the Xen hypervisor. This issue is known as the 'VENOM' vulnerability and has been assigned the following CVE number: CVE-2015-3456: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3456 Citrix is actively analysing the impact of this vulnerability on affected products. Additional details and product-specific guidance can be found in the following sections of this document. Impacted Citrix Products Citrix XenServer All supported versions of Citrix XenServer are impacted by this issue. Hotfixes have been released to address this issue. Citrix strongly recommends that affected customers install the relevant hotfixes as soon as possible. These hotfixes are available on the Citrix website at the following locations: Citrix XenServer 6.5 SP1: CTX142483 - https://support.citrix.com/article/CTX142483 Citrix XenServer 6.5: CTX142482 - https://support.citrix.com/article/CTX142482 Citrix XenServer 6.2 SP1: CTX142481 - https://support.citrix.com/article/CTX142481 Citrix XenServer 6.1: CTX142480 - https://support.citrix.com/article/CTX142480 Citrix XenServer 6.0.2: CTX142478 - https://support.citrix.com/article/CTX142478 Customers using Citrix XenServer 6.0.2 in the Common Criteria evaluated configuration should apply the following hotfix: CTX142479 - https://support.citrix.com/article/CTX142479 Citrix XenServer 6.0.0: CTX142477 - https://support.citrix.com/article/CTX142477 Citrix NetScaler Service Delivery Appliance Citrix is actively investigating the potential impact of this issue on Citrix NetScaler Service Delivery Appliances. In order to exploit this issue, a malicious user would require administrative access within a virtual appliance. In deployments where the virtual appliances and their administrators are trusted, this issue would not present a risk. Further information and mitigation guidance will be added to this document as soon as it is available. Citrix XenClient Enterprise Citrix XenClient Enterprise is not believed to be affected by this issue. Citrix Desktop Player for Mac Citrix Desktop Player for Mac is not believed to be affected by this issue. What Customers Should Do Citrix is actively analysing the impact of this vulnerability and any required remediation steps will be added to this document as soon as they are available. Citrix recommends that customers monitor this document for any updates. Customers can register for security bulletin alerts at the following address: http://support.citrix.com/profile/watches/ What Citrix Is Doing Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at http://support.citrix.com/. Obtaining Support on This Issue If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at http://www.citrix.com/site/ss/supportContacts.asp. Reporting Security Vulnerabilities Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For guidance on how to report security-related issues to Citrix, please see the following document: CTX081743 Reporting Security Issues to Citrix Changelog Date Change May 13th 2015 Initial publication May 18th 2015 Reformatting and addition of XenServer, NetScaler SDX and XenClient Enterprise sections May 20th 2015 Update to XenServer and Desktop Player sections Applicable Products XenServer 6.5 XenServer 6.2.0 XenServer 6.1.0 XenServer 6.0.2 XenServer 6.0 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVV1HhBLndAQH1ShLAQJNYBAAsCIv9i2oBwRODdKtHOO1aGEbZihic1Ho Hs7R3azQ6mo/YOx2eQXL+Zuu4gfjioldQ6YQvANsIRRDO+oL7zxLlSLA1x1nF5nS iS9CESf+CkplZ+c3RmbHUtK0XAaK6+LnqVyQrlw1RB9W+JJhuPSdY+jR+HgKfAt7 rxVmxYC2LHPx5IKZtcWL/Le+tmHv0BXrF5WCzsNwi/nAL86T2OM7C3HeOxEg1wX2 TAcCHvonLjLAOUuPiDN7bqyga3ps3eByzFRnrxa1T2VBn0O/6nHvyF4jwkRIPnmW MvLTaEazp9f8Fs1CkrgOqgzlqEI2w0q01YF+L2itQhcJNd9DHMDMUD3H3xmDTkkp PhmbXbfajiPC1vK6/SDU96J+uMSZM8rLqXPE8tF2zwCtDrsSXndB0h/Acawttaf6 OE780TYEvxBQTNiC02bfNIBZ/mTenwGFxHDDMtIqCMe+A2jLMFxCdWdNR77d/UgY yQ/NdKZvZen+EIEnRWuwVt/ooWlTFoIWz4hSHyT0SLxnecdEQEyKB0KGI6rAnq/8 8MENLsNoiTaBN1FTxlFsVtnhtcpyeEfn7np2tnafbZB+goseaqH20N+Jr2p2v+L0 QdzYyb1GuJJnWSdGw2mWAGlww/i9rw0ZS3RRcmGqnvlK6Vz9ArtD2Q5etM/xr68q v+JOuC0apBQ= =IQuO -----END PGP SIGNATURE-----