==================================================================== CERT-Renater Note d'Information No. 2020/VULN246 _____________________________________________________________________ DATE : 06/05/2020 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Citrix ShareFile storage versions prior to 5.10.0, 5.9.1, 5.8.1, 5.7.1, 5.6.1, 5.5.1. ===================================================================== https://support.citrix.com/article/CTX269106 _____________________________________________________________________ Citrix ShareFile storage zones Controller multiple security updates Reference: CTX269106 Category : Critical Created : 05 May 2020 Modified : 05 May 2020 Applicable Products o ShareFile Description of Problem Security issues have been identified in customer-managed Citrix ShareFile storage zone controllers. These vulnerabilities, if exploited, would allow an unauthenticated attacker to compromise the storage zones controller potentially giving an attacker the ability to access ShareFile users' documents and folders. These issues have been given the following identifiers: o CVE-2020-7473 o CVE-2020-8982 o CVE-2020-8983 Customer-managed storage zones created using the following versions of the storage zones controller are affected: o ShareFile storage zones Controller 5.9.0 o ShareFile storage zones Controller 5.8.0 o ShareFile storage zones Controller 5.7.0 o ShareFile StorageZones Controller 5.6.0 o ShareFile StorageZones Controller 5.5.0 o All earlier versions of ShareFile StorageZones Controller Storage zones created using the recently released versions of storage zones controllers listed below are not affected: o Storage Zones Controller 5.10.0 and later 5.10 releases o Storage Zones Controller 5.9.1 and later 5.9 releases o Storage Zones Controller 5.8.1 and later 5.8 releases o Storage Zones Controller 5.7.1 and later 5.7 releases o ShareFile StorageZones Controller 5.6.1 and later 5.6 releases o ShareFile StorageZones Controller 5.5.1 and later 5.5 releases Storage zones created using a vulnerable version of the storage zones controller are at risk even if the storage zones controller has been subsequently updated. What Customers Should Do Customers with Citrix-managed storage zones do not need to take any action. Customers with customer-managed storage zones should ensure they are running on a supported version. In order to address the issue customers are strongly recommended to run the mitigation tool as soon as possible on the storage zone controllers managing each impacted storage zone by following the guidance in the following support article: https://support.citrix.com/article/CTX269341 Acknowledgements Citrix thanks Danske Bank Red-Team for working with us on CVE-2020-8982 and CVE-2020-8983 to protect Citrix customers. Changelog +--------------------------+--------------------------------------------------+ |Date |Change | +--------------------------+--------------------------------------------------+ |2020-05-05 |Initial publication | +--------------------------+--------------------------------------------------+ ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================