===================================================================== CERT-Renater Note d'Information No. 2009/VULN445 _____________________________________________________________________ DATE : 06/11/2009 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Systems Citrix NetScaler, Citrix NetScaler Application Firewall, Citrix Access Gateway Enterprise Edition. ====================================================================== http://support.citrix.com/article/CTX123060 ______________________________________________________________________ Vulnerability in Citrix NetScaler, Citrix NetScaler Application Firewall and Citrix Access Gateway Enterprise Edition could result in Denial of Service. Document ID: CTX123060 / Created On: Nov 2, 2009 / Updated On: Nov 4, 2009 Severity: High Description of Problem A vulnerability has been identified in components of the Citrix NetScaler, NetScaler Application Firewall and Access Gateway Enterprise Edition that, when triggered, results in a denial of service. This vulnerability affects appliance firmware version 9.0 prior to build 70.5 and appliance firmware version 9.1 prior to build 96.4 only, when the following features are in use: URL Transform Application Firewall AGEE Clientless VPN Previous versions of the appliance firmware (8.1, 8.0, 7.0) are not affected by this vulnerability. What Customers Should Do This vulnerability has been addressed in a new release of the firmware for the affected products. Citrix strongly recommends that customers upgrade their NetScaler, NetScaler Application Firewall and Access Gateway Enterprise Edition appliances to the latest versions. The new firmware versions can be obtained from the Download Center on the Citrix website: Citrix NetScaler: https://www.citrix.com/English/ss/downloads/results.asp?productID=21679 Citrix Access Gateway Enterprise Edition: https://www.citrix.com/English/ss/downloads/results.asp?productID=15005 Citrix NetScaler Application Firewall: https://www.citrix.com/English/ss/downloads/results.asp?productID=21679 Acknowledgements Citrix would like to thank the following for working with us to protect our customers: Rob Carter, Ernst & Young's Advanced Security Center Nathan McFeters, Ernst & Young's Advanced Security Center Neel Mehta, Google Security Team What Citrix Is Doing Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at http://support.citrix.com/. Obtaining Support on This Issue If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at http://www.citrix.com/site/ss/supportContacts.asp. Reporting Security Vulnerabilities to Citrix Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. If you would like to report a security issue to Citrix, please compose an e-mail to secure@citrix.com stating the exact version of the product in which the vulnerability was found and the steps needed to reproduce the vulnerability This document applies to: * Access Gateway 9.0 Enterprise Edition * Access Gateway 9.1 Enterprise Edition * Application Firewall Software 9.0 * NetScaler Application Delivery Software 9.0 * NetScaler Application Delivery Software 9.1 * NetScaler VPX 9.1 ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================