Archive: Vulnerability in Access Gateway appliance may allow information disclosure
This article is no longer maintained, its content refers to a discontinued product and may be out of date. Refer to the Discontinued Product Lifecycle or Active Citrix Product pages for more information on support schedules
Applicable Products
- Access Gateway 4.5 Advanced Edition
Description of Problem
When using Advanced Access Control with an Access Gateway appliance, unauthenticated remote users may be able to gain access to data on the Access Gateway appliance. The information disclosed could potentially lead to a compromise of the appliance.
This vulnerability affects the following products:
• Access Gateway 4.5 Advanced Edition
• Access Gateway 4.2 with Advanced Access Control 4.2 (currently known as Access Gateway 4.2 Advanced Edition)
When deployed with:
• Access Gateway appliance 4.2
• Access Gateway appliance 4.2.1
• Access Gateway appliance 4.2.2
Access Gateway appliances deployed without Advanced Access Control are not vulnerable to this issue.
What Customers Should Do
This vulnerability has been fixed in the Access Gateway appliance version 4.2.3 and later. Citrix recommends that customers upgrade their Access Gateway appliance to a fixed version which can be obtained from the following location:
• V4.2.3 - http://support.citrix.com/article/CTX108902
• V4.5 - My Citrix Portal located in the Support > Downloads > Product Software section
Acknowledgements
Citrix thanks Thierry Zoller and Laurent Kempenaar of Telindus PSF for reporting this issue and working with us to protect customers.
What Citrix Is Doing
Citrix is proactively notifying customers and channel partners about this potential security issue. An article containing the information in this bulletin is available from the Citrix Knowledge Base at http://support.citrix.com/.
Obtaining Support on this Issue
If you require technical assistance with this issue, please contact Citrix Technical Support. Information for contacting Citrix Technical Support is available at http://support.citrix.com/.
Reporting Security Vulnerabilities to Citrix
Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities very seriously. If you would like to report a security issue to Citrix, please compose an e-mail to secure@citrix.com containing the exact version of the product in which the vulnerability was found and steps to reproduce the vulnerability.