Citrix License Server susceptibility to certain Apache CVEs
Article ID: CTX493874
Updated On:
Description
Citrix License Server may be flagged by vulnerability scanners as potentially impacted by CVE-2006-20001, CVE-2022-36760, and/or CVE-2022-37436. This is because Citrix License Server uses Apache version 2.4.54 in License Server version 11.17.2 build 42000 (and older versions of Apache in older builds of License Server).
Resolution
Citrix License Server is not affected by these vulnerabilities for the following reasons:
- CVE-2006-20001: We do not include mod_dav in License Server installations.
- CVE-2022-36760: We do not include mod_proxy* in License Server installations.
- CVE-2022-37436: We do not include mod_proxy* in License Server installations.
- CVE-2023-25690: We do not include mod_proxy* in License Server installations.
- CVE-2023-27522: We do not include mod_proxy* in License Server installations.
- View Apache modules on their License Server in
- C:\Program Files (x86)\Citrix\Licensing\WebServicesForLicensing\Apache\modules
- If a vulnerability scanner flags the License Server as being susceptible to any of these CVEs, check to ensure that the module is not present
- (for instance, if running more than one Apache application on the server, one of the others may have included it).
- If the module isn't there, report the false positive through the appropriate channels to the maintainers of the scanner.
Issue/Introduction
Citrix License Server is not affected by CVE-2006-20001, CVE-2022-36760, CVE-2022-37436, CVE-2023-25690, or CVE-2023-27522
Additional Information
The version of Apache will be noted in https://docs.citrix.com/en-us/licensing/current-release/about.html
Was this article helpful?
Yes
No
Powered by
