====================================================================

                             CERT-Renater

                 Note d'Information No. 2019/VULN312

_____________________________________________________________________

DATE                : 09/10/2019

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Citrix Application Delivery
                       Management version 12.1 earlier than build 54.13,
                      Citrix Application Delivery Management Cloud
                       version 13.0 earlier than build 41.20.

=====================================================================
https://support.citrix.com/article/CTX261735
_____________________________________________________________________

CVE-2019-TBD - Citrix Application Delivery Management (ADM) Console
Security Update

Reference: CTX261735

Category : Medium

Created  : 08 Oct 2019

Modified : 08 Oct 2019

Applicable Products

  o Citrix Application Delivery Management

Description of Problem

An authorisation bypass vulnerability was discovered in the Citrix
Application Delivery Management (ADM) server. The vulnerability allows
a Citrix ADM user with read-only privilege to access a managed
instances with admin level permissions.

The following deployment scenarios are affected:

1. A Citrix Application Delivery Management server on-premises

2. A Citrix Application Delivery Management on Cloud, deployed
on-premises or customer-managed cloud datacenters.

This vulnerability has been assigned the following CVE number:

o CVE-2019-TBD: Improper Access Control in Citrix Application Delivery
Management Server.


This vulnerability affects the following product versions:

. Citrix Application Delivery Management version 12.1 earlier than build
54.13

. Citrix Application Delivery Management Cloud version 13.0 earlier than
build 41.20


What Customers Should Do

This vulnerability has been addressed in the following version of Citrix
Application Delivery Management:

  o Citrix Application Delivery Management version 12.1 build 54.13 and
    later
  o Citrix Application Delivery Management Cloud version 13.0 build
    41.20 and later

Citrix has already updated all Citrix ADM deployed on Citrix Cloud to
the latest version.

Citrix recommends that customers affected by this vulnerability upgrade
to a version of the Citrix Application Delivery Management that contains
a fix for this issue as soon as normal patching schedule allows.

The latest on-premises version is available on the Citrix website at
the following address:
https://www.citrix.com/downloads/citrix-application-management


Changelog

+-----------------------------------+-----------------------------------------+
|Date                               |Change                            |
+-----------------------------------+-----------------------------------------+
|8th October 2019                   |Initial Publication               |
+-----------------------------------+-----------------------------------------+


=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================