3.4 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
0.975 High
EPSS
Percentile
100.0%
The recently disclosed protocol flaw in SSLv3, referred to as CVE-2014-3566 (<https://vulners.com/cve/CVE-2014-3566>) or POODLE, could expose some deployments that support SSLv3 to a risk of an active Man in the Middle (MITM) attack. A successful attack could lead to the disclosure of the information that is being sent over the encrypted channel.
Considering the mitigating factors described below, Citrix does not consider this to be a high risk vulnerability. However, Citrix recommends that customers review their usage of SSLv3 and take steps to reconfigure their deployments to remove support for SSLv3 where appropriate.
Customers should consider the following mitigating factors when assessing the risks posed by this issue:
The following sections provide guidance on configuring SSLv3 support for relevant Citrix products, additional sections will be added as our analysis progresses. Customers requiring further assistance should refer to the documentation for their products or contact their normal Citrix Support representative. Product documentation is available on the Citrix website at the following address: <http://support.citrix.com/proddocs/topic/infocenter/ic-how-to-use.html>
Customers should note that some scanning tools may report the TLS and DTLS Padding Validation Vulnerability described in CTX200378 as the “POODLE” or “TLS POODLE” vulnerability. If these issues are still being reported when SSLv3 has been disabled please refer to CTX200378 for guidance.
NetScaler vServers:
To disable SSLv3 on a specific vServer, run the following command from the NSCLI:
set ssl vserver <vservername> -ssl3 disabled
NetScaler Management Interfaces:
To disable SSLv3 on the NetScaler management interface, run the following commands from the NSCLI:
set ssl service nshttps-127.0.0.1-443 -ssl3 disabled
NetScaler Management Interfaces on the MIP/SNIP:
To disable SSLv3 on the MIP/SNIP, identify the internal service names by running the following command from the NSCLI for each IP address:
show service –internal | grep <IP>
SSLv3 can then be disabled for each IP address using the following NSCLI command:
set ssl service <internal service name for that ip> -ssl3 disabled
Note that, after these commands have been run, the NetScaler configuration should be saved with the NSCLI command “save config” so that the changes persist across appliance reboots. As with all configuration changes, Citrix recommends that these changes are validated within a test environment prior to deploying to a production environment.
Customers requiring further assistance should refer to the documentation for their products or contact their normal Citrix Support representative.
NetScaler Service Delivery Appliances
Customers using NetScaler Service Delivery Appliance service VM are affected by this vulnerability. To address this issue, customers should upgrade their Service Delivery Appliances to the following versions:
These new versions are available on the Citrix website at the following address:
<https://www.citrix.com/content/citrix/en_us/downloads/netscaler-adc.html>
Customers using Command Center are affected by this vulnerability. To address this issue, customers should upgrade their Command Center deployment to the following versions:
These new versions are available on the Citrix website at the following address: <https://www.citrix.com/downloads/command-center.html>
Once upgraded, customers wishing to disable SSLv3 should then make this change in the Command Center user interface.
Information on how to configure supported versions of Citrix Secure Gateway can be found in the product documentation. This is available on the Citrix website at the following address:
It is possible to configure the protocol versions used by the internal SSL Relay component under the “Connection” tab of the configuration utility. Further information on this can be found in the product documentation at the following address:
<http://support.citrix.com/servlet/KbServlet/download/12606-102-16435/Administrators_Guide.pdf>
Information on how to configure the use of cryptographic protocols on the underlying Microsoft web server can be found at the following location:
<http://support.microsoft.com/kb/245030>
Customers wishing to configure their XenMobile Device Manager (XDM) deployments to prevent the use of SSLv3 can make the following changes:
sslEnabledProtocols=“TLSv1.2,TLSv1.1,TLSv1”
Customers using a combined NetScaler and XenMobile deployment should refer to the NetScaler guidance in this document for information on configuring their NetScaler appliances.
Customers using Citrix AppController 9.0 should download the patch for their products available at the following location:
<https://support.citrix.com/article/CTX142031>
Information on how to configure the use of cryptographic protocols on the underlying web server can be found at the following location:
<http://support.citrix.com/proddocs/topic/cpbm-23-map/cpbm-install.html>
The following Citrix SaaS Solutions products are vulnerable to this issue:
Citrix is actively working to address this issue and further information will be added to the document as it becomes available.
A patch for affected versions of Citrix AppController has been released that address this vulnerability. This patch is available on the Citrix website at the following address:
<https://support.citrix.com/article/CTX142031>
Citrix recommends that customers using affected versions of App Controller apply this patch to their appliances as soon as their patching schedule allows.
Citrix XenMobile & App Controller 10 are not affected by this vulnerability
The following versions of Citrix VDI-In-A-Box (VIAB) are impacted by this vulnerability:
Citrix VDI-In-A-Box 5.4.x: A new version of VIAB, 5.4.5, has been released to address this issue. This can be found at the following address: <https://www.citrix.com/downloads/vdi-in-a-box/product-software/vdi-in-a-box-54.html>
Citrix VDI-In-A-Box 5.3.x: A new version of VIAB, 5.3.10, has been released to address this vulnerability. This can be found at the following address: <https://www.citrix.com/downloads/vdi-in-a-box/product-software/vdi-in-a-box-53.html>
In configurations where CloudPlatform has been configured to use HTTPS to provide secure communication to the management server, Citrix recommends that customers consider disabling SSLv3. Information on how to configure the underlying webserver to support TLS only can be found in the following article: <http://support.citrix.com/article/CTX132008>
Citrix recommends that customers using affected versions of CloudPlatform update their SystemVM ISOs and upgrade their system and router virtual machine templates to the latest version. Information on how to obtain and carry out these updates can be found in the following articles:
License Server for Windows:
When configured to use SSL, the License Server for Windows is impacted by this vulnerability. To disable SSLv3 on License Server for Windows, please see the following article: <https://support.citrix.com/article/CTX200265>
License Server VPX:
SSLv3 is disabled in version 11.12.1 and later of the License Server VPX. Citrix recommends that customers upgrade to version 11.12.1 and later to address this issue. This version can be found at the following address: <http://www.citrix.com/downloads/licensing.html>
Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at _ <http://support.citrix.com/>_.
If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at _ <https://www.citrix.com/support/open-a-support-case.html>_.
Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For guidance on how to report security-related issues to Citrix, please see the following document: CTX081743 – Reporting Security Issues to Citrix
Date | Change |
---|---|
October 15th 2014 | Initial bulletin published |
October 16th 2014 | Secure Gateway configuration added |
October 20th 2014 | SSL Relay, Web Interface/Storefront and XenMobile configuration added |
November 7th 2014 | CloudPortal Business Manager section added |
November 13th 2014 | SaaS Solutions section added |
February 2nd 2015 | XenMobile App Controller section added |
February 25th 2015 | Addition of VDI-In-A-Box section |
March 4th 2015 | Addition of CloudPlatform section, change to XenMobile section |
March 18th 2015 | VDI-In-A-Box section updated |
April 8th 2015 | Update to Secure Gateway & SSL Relay section |
April 28th 2015 | Update to NetScaler section |
May 21st 2015 | Addition of Licensing section |
July 7th 2015 | Update to SaaS Solutions section |
September 1st 2015 | Update to NetScaler section |
September 8th 2015 | Addition of Command Center section |
March 22nd 2016 | Updated link in Citrix Secure Gateway & SSL Relay section |
3.4 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
0.975 High
EPSS
Percentile
100.0%