As you know, we announced recently a vulnerability and comprehensive mitigations for certain versions of Citrix Application Delivery Controller (ADC), formerly known as NetScaler ADC, and Citrix Gateway, formerly known as NetScaler Gateway, and certain deployments of two older versions of our Citrix SD-WAN WANOP product versions 10.2.6 and version 11.0.3 that, if exploited, could allow an unauthenticated attacker to perform arbitrary code execution.
I have two important updates:
Permanent fixes for ADC versions 11.1 and 12.0 are available as downloads here and here.
-
- These fixes also apply to Citrix ADC and Citrix Gateway Virtual Appliances (VPX) hosted on any of ESX, Hyper-V, KVM, XenServer, Azure, AWS, GCP or on a Citrix ADC Service Delivery Appliance (SDX). SVM on SDX does not need to be updated.
- It is necessary to upgrade all Citrix ADC and Citrix Gateway 11.1 instances (MPX or VPX) to build 11.1.63.15 to install the security vulnerability fixes. It is necessary to upgrade all Citrix ADC and Citrix Gateway 12.0 instances (MPX or VPX) to build 12.0.63.13 to install the security vulnerability fixes. .
We have moved forward the availability of permanent fixes for other ADC versions and for SD-WAN WANOP from our previous target dates as follows:
-
- ADC version 12.1, now January 24
- ADC version 13 and ADC version 10.5, now January 24
- SD-WAN WANOP fixes, now January 24
| Citrix ADC and Citrix Gateway | ||
| Version | Refresh Build | Release Date |
| 11.1 | 11.1.63.15 | January 19, 2020 |
| 12.0 | 12.0.63.13 | January 19, 2020 |
| 12.1 | 12.1.55.x | January 24, 2020 |
| 10.5 | 10.5.70.x | January 24, 2020 |
| 13.0 | 13.0.47.x | January 24, 2020 |
| Citrix SD-WAN WANOP | ||
| Release | Citrix ADC Release | Release Date |
| 10.2.6 | 11.1.51.615 | January 24, 2020 |
| 11.0.3 | 11.1.51.615 | January 24, 2020 |
We urge customers to immediately install these fixes. There are several important points to keep in mind in doing so. These fixes are for the indicated versions only, if you have multiple ADC versions in production, you must apply the correct version fix to each system.
If you have not already done so, you need to apply the previously supplied mitigations to ADC versions 12.1, 13, 10.5 and SD-WAN WANOP versions 10.2.6 and 11.0.3 until the fixes for those versions are available. Once complete, you can use the tool we have previously provided to ensure the mitigations have successfully been applied. While all the mitigations associated with CVE-2019-19781 are effective across all known scenarios, we strongly encourage customers to apply the permanent fixes as soon as possible.
The permanent fixes being made available today are applicable to all supported subsets of those versions. Upgrade guides can be found on the download pages. While the updates are not difficult, we do recommend you review the instructions prior to installation. In addition, we have staffed our support center with strong networking technical resources who are ready to support you on the installs if needed.
As always, we remain deeply committed to the security of our solutions and to helping you manage CVE-2019-19781 and will continue to provide updates and support via our Support Knowledge Center. To receive updates automatically, visit: https://support.citrix.com/user/alerts.