Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2016.0676 Security Bulletin: Vulnerability in GNU C Library(glibc) affects WebSphere DataPower XC10 Appliance(CVE-2015-7547) 14 March 2016 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Citrix License Server Citrix XenMobile Server Citrix XenMobile Device Manager Citrix CloudBridge Citrix NetScaler Citrix NetScaler Gateway Citrix Command Center Publisher: Citrix Operating System: Windows Network Appliance Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2015-8277 Reference: ESB-2016.0492 ESB-2016.0439.2 ESB-2016.0422 ESB-2016.0419.2 ESB-2016.0417 ESB-2016.0406 ESB-2016.0394 ESB-2016.0387 Original Bulletin: http://support.citrix.com/article/CTX207824 - --------------------------BEGIN INCLUDED TEXT-------------------- CTX207824 Citrix Licensing Security Updates to Address CVE-2015-8277 Security Bulletin | High | Created: 10 Mar 2016 | Modified: 10 Mar 2016 Description of Problem A vulnerability has been identified in Citrix Licensing that could allow a remote, unauthenticated attacker to crash the License Server and potentially execute arbitrary code on the server. This vulnerability affects the following products: Citrix License Server for Windows earlier than version 11.13.1.2 Citrix License Server VPX earlier than version 11.13.1.2 In addition to the above, the vulnerable component is included in some other Citrix products. Please see the following section for more specific product guidance. This document will be updated as our investigation continues. Additional Affected Products Citrix CloudBridge We are currently investigating the potential impact of this vulnerability on Citrix CloudBridge and this section will be updated as more information becomes available. Citrix NetScaler Citrix NetScaler and NetScaler Gateway: Citrix NetScaler and NetScaler Gateway, both MPX and VPX, are not affected by this vulnerability. Citrix NetScaler SVM and Insight Center are currently in the process of being investigated and this section will be updated when more information is available. Citrix Command Center: Citrix Command Center is not affected by this vulnerability. Citrix XenMobile A vulnerable version of the Citrix License Server is installed as part of the initial configuration of the following versions of Citrix XenMobile: XenMobile Server 10.3.x XenMobile Server 10.1.x XenMobile Server 10.0.x XenMobile Device Manager 9.0 Citrix XenMobile App Controller version 9.0.x is not affected by this vulnerability. Customers using Citrix XenMobile Device Manager 9.0.x should verify the the version of Citrix Licensing installed and upgrade the local License Server for Windows to version 11.12.1.2. or later. Customers using Citrix XenMobile Server 10.3.x, 10.1.x and 10.0.x should note that, due to the way the server is configured, the potential impact of this vulnerability on the local License Server is greatly reduced. Citrix is currently in the process of creating patches for this issue and this bulletin will be updated when further information is available. Citrix ByteMobile ByteMobile Unison Traffic Manager, ByteMobile Reporting Dashboard, ByteMobile Data Loader, and T2000 that use Flexera software are unaffected by this vulnerability. This section will be updated when we have more information available. Mitigating Factors In order to exploit this issue, an attacker would need network access to the License Server. In most deployments, the License Server would not be exposed to the public Internet. What Customers Should Do Citrix has released a new version of the License Server for Windows and the License Server VPX that addresses this vulnerability. Citrix strongly recommends that customers upgrade to the following versions: Citrix License Server for Windows version 11.13.1.2 or later Citrix License Server VPX version 11.13.1.2 or later These new versions can be downloaded from the following location: https://www.citrix.com/downloads/licensing.html What Citrix Is Doing Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at http://support.citrix.com/. Obtaining Support on This Issue If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at http://www.citrix.com/site/ss/supportContacts.asp. Reporting Security Vulnerabilities Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For guidance on how to report security-related issues to Citrix, please see the following document: CTX081743 Reporting Security Issues to Citrix Changelog Date Change March 10th 2016 Initial bulletin publishing March 10th 2016 Add XenMobile products to Applicable Products section March 10th 2016 Add ByteMobile products to Additional Affected Products section Applicable Products Citrix Licensing 11.12 Citrix Licensing 11.11 Citrix Licensing 11.10 Citrix Licensing 11.9 Citrix Licensing 11.6 Citrix Licensing 11.5 XenMobile 10.0 XenMobile 10.1 XenMobile 10.3 XenMobile 9.0 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVuYW6X6ZAP0PgtI9AQLvlQ//RME/ktlFSZBBEfSFNHDlr0VugKbxrsMm Zds9iZXjgYlSSCGWhS9hF5ZjlGg/anNXiNhSd7qYsIKgVrzTSpk0lASCWaNbfK/m ZoVnBvq7W/AO8a6HEmLsbcxqiBZReHj9eIOvMf2KYRBNSIao2BeMJ9mCbmuCwzoK O6V/WjYY5TBB31TfbSFYKvGhGFV+JRIhsAHd0NspFXATGwLkdZEX2F5AiMxN6Guj eJ9jHvxG/Q+/SXqXnw2Rlk5FKc1dcLI9j5j8yHzN6kx3f8qMaOlmnMc2UfHvbvfp dRPcsuhO8ScKxK5MUOfEywTrSQSfSD6aaRPdKkKXy2HGTxqYFISEHquC73Kc9p+Q Tk0wZcljgpWMM2blr+gw5BBdZlbm+WqFu6LWjyHX6epXGnJZ26894zYNtTFHgDv1 OSzi2gEbj9OIk4EdlplGZFq91QCVH03KNK6DNN5ayMM8jnT/fYepVGsP2rNp0lDl iJQCes785btwIpbrkUxviXuhOU5Th2wsfWvrWDhUGEwPepknomfJYyc5ELYME4c+ 0+c54CZtOWEnfamOV6UzINpQHo/VrimqD8chBYD6pVTFrxfrL4j4xCPoAlW/8kef 268AIKiqx6O6nAUEbNd59dx4Y4T0zvSqIP53F4w8Th87shoCXQHSObNsA5XnhPul SJw/FRtjQBc= =/E67 -----END PGP SIGNATURE-----