Lucene search

K
citrixCitrixCTX256725
HistoryJul 08, 2019 - 4:00 a.m.

Citrix Hypervisor Security Update.

2019-07-0804:00:00
support.citrix.com
21

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.8 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

<section>
<div><div>
<div>

<h2> Description of Problem</h2>

<div>
<div>
<div>
<p>A vulnerability has been found in Citrix Hypervisor (formerly Citrix XenServer) that may allow an unauthenticated attacker with the ability to send traffic to a host over a management or storage network to cause the host to crash.</p>
<p>This vulnerability is identified as:</p>
<p>• CVE-2019-11477: SACK Panic</p>
<p>A secondary issue, which allows an unauthenticated attacker with the ability to send traffic to a host over a management or storage network to cause a transient increase in memory and processor load within the control domain, has also been addressed. This issue is identified as:</p>
<p>• CVE-2019-11478: Excess resource usage</p>
<p>These issues affect all currently supported versions of Citrix Hypervisor up to and including Citrix Hypervisor 8.0.</p>
</div>
</div>
</div>

<hr />
</div>
<div>

<h2> Mitigating Factors</h2>

<div>
<div>
<div>
<p>Customers with isolated management networks, as recommended by Citrix, have significantly mitigated this issue.</p>
</div>
</div>
</div>

<hr />
</div>
<div>

<h2> What Customers Should Do</h2>

<div>
<div>
<div>
<p>Hotfixes have been released to address these issues. Citrix recommends that affected customers install these hotfixes as their patching schedules allow. The hotfixes can be downloaded from the following locations:</p>
<p>Citrix XenServer 8.0: CTX256714 – <a href=“https://support.citrix.com/article/CTX256714”>https://support.citrix.com/article/CTX256714</a></p>
<p> Citrix XenServer 7.6: CTX256713 – <a href=“https://support.citrix.com/article/CTX256713”>https://support.citrix.com/article/CTX256713</a> </p>
<p>Citrix XenServer 7.1 LTSR CU2: CTX256712 – <a href=“https://support.citrix.com/article/CTX256712”>https://support.citrix.com/article/CTX256712</a> </p>
<p>Citrix XenServer 7.0: CTX256711 – <a href=“https://support.citrix.com/article/CTX256711”>https://support.citrix.com/article/CTX256711</a> </p>
</div>
</div>
</div>

<hr />
</div>
<div>

<h2> What Citrix Is Doing</h2>

<div>
<div>
<div>
<div>
<div>
<p>Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at <u> <a href=“http://support.citrix.com/”>http://support.citrix.com/</a></u>.</p>
</div>
</div>
</div>
</div>
</div>

<hr />
</div>
<div>

<h2> Obtaining Support on This Issue</h2>

<div>
<div>
<div>
<div>
<div>
<p>If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at <u> <a href=“https://www.citrix.com/support/open-a-support-case.html”>https://www.citrix.com/support/open-a-support-case.html</a></u>. </p>
</div>
</div>
</div>
</div>
</div>

<hr />
</div>
<div>

<h2> Reporting Security Vulnerabilities</h2>

<div>
<div>
<div>
<div>
<div>
<p>Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For guidance on how to report security-related issues to Citrix, please see the following document: CTX081743 – <a href=“http://support.citrix.com/article/CTX081743”>Reporting Security Issues to Citrix</a></p>
</div>
</div>
</div>
</div>
</div>

<hr />
</div>
<div>

<h2> Changelog</h2>

<div>
<div>
<div>
<table border=“1” width=“100%”>
<tbody>
<tr>
<td>Date </td>
<td>Change</td>
</tr>
<tr>
<td>8th July 2019</td>
<td>Initial Publication</td>
</tr>
</tbody>
</table>
</div>
</div>
</div>

<hr />
</div>
</div></div>
</section>

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.8 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C