Description of Problem
A buffer overflow vulnerability has been identified in Citrix ADC and Citrix NetScaler Gateway which could possibly result in a denial-of-service in a specific configuration.
This vulnerability has been assigned the following CVE number:
• CVE-2019-12044: Buffer overflow vulnerability in Citrix ADC and Citrix NetScaler Gateway
This vulnerability is present in the following versions of Citrix ADC and Citrix NetScaler Gateway:
10.5.x earlier than version 10.5.70
11.1.x earlier than version 11.1.59.10
12.0.x earlier than version 12.0.59.8
12.1.x earlier than version 12.1.49.23
Mitigating Factors
The vulnerability can be mitigated by ensuring that virtual servers stay in the up state, or by disabling URL redirection. Removal of the redirect URL from the load balancer configuration mitigates this issue. In situations where failover is still needed for a down load balancer, ensure that the redirect URL contains at least a domain name ending with a /.
How to Configure Redirect URL on NetScaler Virtual Server When Virtual Server is Not Available- https://support.citrix.com/article/CTX108946
What Customers Should Do
This vulnerability has been addressed in new versions of the Citrix ADC and Citrix NetScaler Gateway software. Citrix recommends that customers upgrade their Citrix ADC and Citrix NetScaler Gateway appliances to one of the following versions:
11.1.59.10 and later
12.0.59.8 and later
12.1.49.23 and later
These upgrades can be obtained from the Citrix website at the following locations:
Citrix ADC :
https://www.citrix.com/downloads/citrix-adc/
Citrix NetScaler Gateway:
https://www.citrix.com/downloads/citrix-gateway/product-software.html
The 10.5.70.x version is expected to release in the near future, until released it is recommended to apply the configuration mitigation or upgrade to a fixed version.
What Citrix Is Doing
Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at http://support.citrix.com/.
Obtaining Support on This Issue
If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at https://www.citrix.com/support/open-a-support-case.html.
Reporting Security Vulnerabilities
Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For guidance on how to report security-related issues to Citrix, please see the following document: CTX081743 – Reporting Security Issues to Citrix
Changelog
| Date | Change |
| 13th May 2019 | Initial publication |