Citrix

Transport Layer Security Renegotiation Vulnerability

  • CTX123359
  • Created On  Nov 11, 2009
  • Updated On  Sep 05, 2013
  • 16 found this helpful
  • Security Bulletin

Description of Problem

A vulnerability has been discovered in the Transport Layer Security (TLS) and Secure Socket Layer (SSL) protocols that could allow an attacker to inject malicious content at the beginning of a protected stream.

This vulnerability has been assigned the following CVE:

    • CVE-2009-3555: TLS Protocol Session Renegotiation Security Vulnerability

Citrix is actively assessing the possible impact of this issue on our current product range; details of any products known to be affected by this vulnerability will be added to this document as the investigation progresses. A current version of this document is available at the following address:

http://support.citrix.com/article/CTX123359

Citrix recommends that customers periodically review this document to ensure that they are kept up to date with its contents.

What Customer Should Do

A fix for this vulnerability has been released in the following products:

Citrix Online Plug-In for Windows:
Online Plug-in for Windows version 12.1
http://www.citrix.com/English/ss/downloads/details.asp?downloadId=2304987&productId=186&c1=sot2755

Citrix Secure Gateway:
Secure Gateway version 3.0 Hotfix 10
http://support.citrix.com/article/CTX121844

The following versions of Secure Gateway include a fix for secure renegotiation, and replace previously released versions of Secure Gateway.

Secure Gateway version 3.1.5
EN - http://support.citrix.com/article/CTX127793
JP - http://support.citrix.com/article/CTX127794

Secure Gateway version 3.2.1
EN - http://support.citrix.com/article/CTX126521
JP - http://support.citrix.com/article/CTX125250

Citrix XenApp (formerly known as Presentation Server):

Citrix XenApp 6 for Windows Server 2008 R2:
EN - http://support.citrix.com/article/CTX126679
FR - http://support.citrix.com/article/CTX128626

DE - http://support.citrix.com/article/CTX128627
JA - http://support.citrix.com/article/CTX128628

Citrix XenApp 5 for Windows Server 2008 x86:
EN - http://support.citrix.com/article/CTX126499
FR - http://support.citrix.com/article/CTX126500
DE - http://support.citrix.com/article/CTX126501
JA - http://support.citrix.com/article/CTX126502
ES - http://support.citrix.com/article/CTX126503

Citrix XenApp 5 for Windows Server 2008 x64:
EN - http://support.citrix.com/article/CTX126504
FR - http://support.citrix.com/article/CTX126505
DE - http://support.citrix.com/article/CTX126506
JA - http://support.citrix.com/article/CTX126507
ES - http://support.citrix.com/article/CTX126508

Citrix Presentation Server 4.5 with Feature Pack/XenApp 5 for Windows Server 2003 x86:
EN - http://support.citrix.com/article/CTX126460
FR - http://support.citrix.com/article/CTX126463
DE - http://support.citrix.com/article/CTX126461
JA - http://support.citrix.com/article/CTX126462
ES - http://support.citrix.com/article/CTX126464

Citrix Presentation Server 4.5 with Feature Pack/XenApp 5 for Windows Server 2003 x64:
EN - http://support.citrix.com/article/CTX126466
FR - http://support.citrix.com/article/CTX126469
DE - http://support.citrix.com/article/CTX126467
JA - http://support.citrix.com/article/CTX126468
ES - http://support.citrix.com/article/CTX126570

Citrix Access Essentials/XenApp Fundamentals 3.0:
EN - http://support.citrix.com/article/CTX126499
FR - http://support.citrix.com/article/CTX126500
DE - http://support.citrix.com/article/CTX126501
JA - http://support.citrix.com/article/CTX126502
ES - http://support.citrix.com/article/CTX126503

Citrix Access Essentials 2.0:
EN - http://support.citrix.com/article/CTX126460
FR - http://support.citrix.com/article/CTX126463
DE - http://support.citrix.com/article/CTX126461
JA - http://support.citrix.com/article/CTX126462
ES - http://support.citrix.com/article/CTX126464

Citrix NetScaler:
Appliance firmware version 8.1, build 68.7 or later, and version 9.1, build 99.8 or later. These builds are available at the following location:
https://www.citrix.com/English/ss/downloads/results.asp?productID=21679

Citrix Access Gateway Enterprise Edition:
Application software version 8.1, build 68.7 or later, and version 9.1, build 99.8 or later. These builds are available at the following location:
https://www.citrix.com/English/ss/downloads/results.asp?productID=15005&c1=pov1680613

Information on configuring Citrix NetScaler and Access Gateway Enterprise Edition can be found at the following location:
http://support.citrix.com/article/CTX123680

Citrix Access Gateway Standard Edition:
Appliance software version 4.6.2 or later. These builds are available at the following location:
https://www.citrix.com/English/ss/downloads/results.asp?productID=15005&c1=pov1680611&c2=sot36239

Citrix XenServer:
Citrix XenServer version 5.0 Update 3 and later, available from the following location:
http://support.citrix.com/article/CTX125318

Citrix XenServer version 5.5 Update 2 and later, available from the following location:
http://support.citrix.com/article/CTX125519

What Citrix Is Doing

Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at http://support.citrix.com/.

Obtaining Support on This Issue

If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at http://www.citrix.com/site/ss/supportContacts.asp.

Reporting Security Vulnerabilities to Citrix

Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. If you would like to report a security issue to Citrix, please compose an e-mail to secure@citrix.com stating the exact version of the product in which the vulnerability was found and the steps needed to reproduce the vulnerability.


Share your comments or find out more about this topic

Citrix Forums

Languages

N/A

Was this helpful?

Thank you for your feedback!


| Terms of Use | Privacy | Governance