5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
A vulnerability has been identified in the Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway Packet Engine that could allow an attacker to exploit the appliance to decrypt TLS traffic.
This vulnerability has been assigned the following CVE:
This vulnerability affects the following versions of Citrix NetScaler ADC and NetScaler Gateway:
This vulnerability does not allow an attacker to obtain the TLS private key.
In deployments where TLS private keys are shared between different devices, any of these vulnerable appliances could potentially be used to decrypt TLS traffic handled by the other devices. As a consequence, all vulnerable devices must be patched to address this issue.
Citrix NetScaler ADC and NetScaler Gateway appliances that are configured to only use Perfect Forward Secrecy (PFS) cipher suites are not affected by this vulnerability.
This vulnerability has been addressed in the following versions of Citrix NetScaler ADC and NetScaler Gateway:
These new versions can be found on the Citrix website at the following locations:
<https://www.citrix.com/downloads/netscaler-adc/>
<https://www.citrix.com/downloads/netscaler-gateway/>
Citrix strongly recommends that affected customers upgrade all of their vulnerable NetScaler appliances to a version of the appliance firmware that contains a fix for this issue as soon as possible.
Citrix would like to thank the following for working with us to protect Citrix customers:
Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at _ <http://support.citrix.com/>_.
If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at _ <https://www.citrix.com/support/open-a-support-case.html>_.
Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For guidance on how to report security-related issues to Citrix, please see the following document: CTX081743 β Reporting Security Issues to Citrix
Date | Change |
---|---|
12th December 2017 | Initial publishing |
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N