Contact Support

Customers who viewed this article also viewed

CTX249976 {{tooltipText}}

CVE-2019-12044 - Buffer Overflow Vulnerability in Citrix ADC and Citrix NetScaler Gateway

Applicable Products

  • Citrix ADC

Description of Problem

A buffer overflow vulnerability has been identified in Citrix ADC and Citrix NetScaler Gateway which could possibly result in a denial-of-service in a specific configuration.

This vulnerability has been assigned the following CVE number:

• CVE-2019-12044: Buffer overflow vulnerability in Citrix ADC and Citrix NetScaler Gateway

This vulnerability is present in the following versions of Citrix ADC and Citrix NetScaler Gateway:

10.5.x earlier than version 10.5.70

11.1.x earlier than version 11.1.59.10

12.0.x earlier than version 12.0.59.8

12.1.x earlier than version 12.1.49.23


Mitigating Factors

The vulnerability can be mitigated by ensuring that virtual servers stay in the up state, or by disabling URL redirection. Removal of the redirect URL from the load balancer configuration mitigates this issue. In situations where failover is still needed for a down load balancer, ensure that the redirect URL contains at least a domain name ending with a /.

How to Configure Redirect URL on NetScaler Virtual Server When Virtual Server is Not Available- https://support.citrix.com/article/CTX108946 


What Customers Should Do

This vulnerability has been addressed in new versions of the Citrix ADC and Citrix NetScaler Gateway software. Citrix recommends that customers upgrade their Citrix ADC and Citrix NetScaler Gateway appliances to one of the following versions:

11.1.59.10 and later

12.0.59.8 and later

12.1.49.23 and later

These upgrades can be obtained from the Citrix website at the following locations:

Citrix ADC :

https://www.citrix.com/downloads/citrix-adc/

Citrix NetScaler Gateway:

https://www.citrix.com/downloads/citrix-gateway/product-software.html  

The 10.5.70.x version is expected to release in the near future, until released it is recommended to apply the configuration mitigation or upgrade to a fixed version.


What Citrix Is Doing

Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at  http://support.citrix.com/.


Obtaining Support on This Issue

If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at  https://www.citrix.com/support/open-a-support-case.html


Reporting Security Vulnerabilities

Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For guidance on how to report security-related issues to Citrix, please see the following document: CTX081743 – Reporting Security Issues to Citrix


Changelog

Date  Change
13th May 2019 Initial publication