CVE-2019-12044 - Buffer Overflow Vulnerability in Citrix ADC and Citrix NetScaler Gateway

<section>
<div><div>
<div>

<h2> Description of Problem</h2>

<div>
<div>
<div>
<p>A buffer overflow vulnerability has been identified in Citrix ADC and Citrix NetScaler Gateway which could possibly result in a denial-of-service in a specific configuration.</p>
<p>This vulnerability has been assigned the following CVE number:</p>
<p>• CVE-2019-12044: Buffer overflow vulnerability in Citrix ADC and Citrix NetScaler Gateway</p>
<p>This vulnerability is present in the following versions of Citrix ADC and Citrix NetScaler Gateway:</p>
<p>10.5.x earlier than version 10.5.70</p>
<p>11.1.x earlier than version 11.1.59.10</p>
<p>12.0.x earlier than version 12.0.59.8</p>
<p>12.1.x earlier than version 12.1.49.23</p>
</div>
</div>
</div>

<hr />
</div>
<div>

<h2> Mitigating Factors</h2>

<div>
<div>
<div>
<p>The vulnerability can be mitigated by ensuring that virtual servers stay in the up state, or by disabling URL redirection. Removal of the redirect URL from the load balancer configuration mitigates this issue. In situations where failover is still needed for a down load balancer, ensure that the redirect URL contains at least a domain name ending with a /.</p>
<p>How to Configure Redirect URL on NetScaler Virtual Server When Virtual Server is Not Available- <a href=“https://support.citrix.com/article/CTX108946”>https://support.citrix.com/article/CTX108946</a> </p>
</div>
</div>
</div>

<hr />
</div>
<div>

<h2> What Customers Should Do</h2>

<div>
<div>
<div>
<p>This vulnerability has been addressed in new versions of the Citrix ADC and Citrix NetScaler Gateway software. Citrix recommends that customers upgrade their Citrix ADC and Citrix NetScaler Gateway appliances to one of the following versions:</p>
<p>11.1.59.10 and later</p>
<p>12.0.59.8 and later</p>
<p>12.1.49.23 and later</p>
<p>These upgrades can be obtained from the Citrix website at the following locations:</p>
<p>Citrix ADC :</p>
<p> <a href=“https://www.citrix.com/downloads/citrix-adc/”>https://www.citrix.com/downloads/citrix-adc/</a></p>
<p>Citrix NetScaler Gateway:</p>
<p> <a href=“https://www.citrix.com/downloads/citrix-gateway/product-software.html”>https://www.citrix.com/downloads/citrix-gateway/product-software.html</a> </p>
<p>The 10.5.70.x version is expected to release in the near future, until released it is recommended to apply the configuration mitigation or upgrade to a fixed version.</p>
</div>
</div>
</div>

<hr />
</div>
<div>

<h2> What Citrix Is Doing</h2>

<div>
<div>
<div>
<div>
<div>
<p>Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at <u> <a href=“http://support.citrix.com/”>http://support.citrix.com/</a></u>.</p>
</div>
</div>
</div>
</div>
</div>

<hr />
</div>
<div>

<h2> Obtaining Support on This Issue</h2>

<div>
<div>
<div>
<div>
<div>
<p>If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at <u> <a href=“https://www.citrix.com/support/open-a-support-case.html”>https://www.citrix.com/support/open-a-support-case.html</a></u>. </p>
</div>
</div>
</div>
</div>
</div>

<hr />
</div>
<div>

<h2> Reporting Security Vulnerabilities</h2>

<div>
<div>
<div>
<div>
<div>
<p>Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For guidance on how to report security-related issues to Citrix, please see the following document: CTX081743 – <a href=“http://support.citrix.com/article/CTX081743”>Reporting Security Issues to Citrix</a></p>
</div>
</div>
</div>
</div>
</div>

<hr />
</div>
<div>

<h2> Changelog</h2>

<div>
<div>
<div>
<table border=“1” width=“100%”>
<tbody>
<tr>
<td>Date </td>
<td>Change</td>
</tr>
<tr>
<td>13th May 2019</td>
<td>Initial publication</td>
</tr>
</tbody>
</table>
</div>
</div>
</div>

<hr />
</div>
</div></div>
</section>