==================================================================== CERT-Renater Note d'Information No. 2012/VULN224 ____________________________________________________________________ DATE : 23/05/2012 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S) : Systems running Citrix XenApp versions up to and including 6.5. ====================================================================== http://support.citrix.com/article/CTX133159 ______________________________________________________________________ Vulnerability in Citrix XenApp could result in denial of service. Document ID: CTX133159 / Created On: 22 mai 2012 / Updated On: 22 mai 2012 Average Rating: not yet rated View products this document applies to Severity: Low Description of Problem A vulnerability has been identified in Citrix XenApp that, when triggered, could result in a denial of service. This vulnerability is present in all versions of Citrix XenApp, formerly known as Presentation Server, up to and including version 6.5. Mitigating Factors In order to trigger this vulnerability, an attacker would need to be able to directly access the XenApp server. When deployed according to established best practice, the XenApp server would not be directly exposed and an Internet-based attacker would not be able to trigger this vulnerability. What Customers Should Do A hotfix has been released to address this issue. Citrix recommends that affected customers install this hotfix, which can be downloaded from the following locations: Citrix XenApp 6.5 for Windows Server 2008 R2: EN - http://support.citrix.com/article/CTX133001 FR - http://support.citrix.com/article/CTX133229 DE - http://support.citrix.com/article/CTX133230 JA - http://support.citrix.com/article/CTX133231 Citrix XenApp 6.0 for Windows Server 2008 R2: EN - http://support.citrix.com/article/CTX130473 FR - http://support.citrix.com/article/CTX131529 DE - http://support.citrix.com/article/CTX131527 JA - http://support.citrix.com/article/CTX131528 ES - http://support.citrix.com/article/CTX131530 SC - http://support.citrix.com/article/CTX131531 Citrix XenApp 5 for Windows Server 2008 64-bit Edition: EN - http://support.citrix.com/article/CTX133131 FR - http://support.citrix.com/article/CTX133134 DE - http://support.citrix.com/article/CTX133132 JA - http://support.citrix.com/article/CTX133133 ES - http://support.citrix.com/article/CTX133135 Citrix XenApp 5 for Windows Server 2008 32-bit Edition: EN - http://support.citrix.com/article/CTX133126 FR - http://support.citrix.com/article/CTX133129 DE - http://support.citrix.com/article/CTX133127 JA - http://support.citrix.com/article/CTX133128 ES - http://support.citrix.com/article/CTX133130 Citrix Presentation Server 4.5/XenApp 5 for Windows Server 2003 64-bit Edition: EN - http://support.citrix.com/article/CTX133360 FR - http://support.citrix.com/article/CTX133363 DE - http://support.citrix.com/article/CTX133361 JA - http://support.citrix.com/article/CTX133362 ES - http://support.citrix.com/article/CTX133364 Citrix Presentation Server 4.5/XenApp 5 for Windows Server 2003 32-bit Edition: EN - http://support.citrix.com/article/CTX133359 FR - http://support.citrix.com/article/CTX133367 DE - http://support.citrix.com/article/CTX133365 JA - http://support.citrix.com/article/CTX133366 ES - http://support.citrix.com/article/CTX133368 Acknowledgements Citrix thanks the following for working with us to protect Citrix Customers: • Xiaopeng Zhang of Fortinet's FortiGuard Labs (http://www.fortinet.com) • Alex Chapman of Context Information Security Ltd. (http://www.contextis.co.uk/) What Citrix Is Doing Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at http://support.citrix.com/. Obtaining Support on This Issue If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at http://www.citrix.com/site/ss/supportContacts.asp. Reporting Security Vulnerabilities to Citrix Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. If you would like to report a security issue to Citrix, please compose an e-mail to secure@citrix.com stating the exact version of the product in which the vulnerability was found and the steps needed to reproduce the vulnerability. This document applies to: Feature Pack 1 for Presentation Server 4.5 Presentation Server 4.5 SE Edition Presentation Server 4.5 for Windows Server 2003 Presentation Server 4.5 for Windows Server 2003 x64 Edition XenApp 5.0 for Windows Server 2003 x64 XenApp 5.0 for Windows Server 2003 x86 XenApp 6.0 for Windows Server 2008 R2 XenApp 6.5 for Windows Server 2008 R2 XenApp Fundamentals 2.0 XenApp Fundamentals 3.0 XenApp Fundamentals 6.0 for Windows Server 2008 R2 ====================================================================== ========================================================= Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================