7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.8 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C
<section>
<div><div>
<div>
<h2> Description of Problem</h2>
<div>
<div>
<div>
<p>A vulnerability has been found in Citrix Hypervisor (formerly Citrix XenServer) that may allow an unauthenticated attacker with the ability to send traffic to a host over a management or storage network to cause the host to crash.</p>
<p>This vulnerability is identified as:</p>
<p>ā¢ CVE-2019-11477: SACK Panic</p>
<p>A secondary issue, which allows an unauthenticated attacker with the ability to send traffic to a host over a management or storage network to cause a transient increase in memory and processor load within the control domain, has also been addressed. This issue is identified as:</p>
<p>ā¢ CVE-2019-11478: Excess resource usage</p>
<p>These issues affect all currently supported versions of Citrix Hypervisor up to and including Citrix Hypervisor 8.0.</p>
</div>
</div>
</div>
<hr />
</div>
<div>
<h2> Mitigating Factors</h2>
<div>
<div>
<div>
<p>Customers with isolated management networks, as recommended by Citrix, have significantly mitigated this issue.</p>
</div>
</div>
</div>
<hr />
</div>
<div>
<h2> What Customers Should Do</h2>
<div>
<div>
<div>
<p>Hotfixes have been released to address these issues. Citrix recommends that affected customers install these hotfixes as their patching schedules allow. The hotfixes can be downloaded from the following locations:</p>
<p>Citrix XenServer 8.0: CTX256714 ā <a href=āhttps://support.citrix.com/article/CTX256714ā>https://support.citrix.com/article/CTX256714</a></p>
<p> Citrix XenServer 7.6: CTX256713 ā <a href=āhttps://support.citrix.com/article/CTX256713ā>https://support.citrix.com/article/CTX256713</a> </p>
<p>Citrix XenServer 7.1 LTSR CU2: CTX256712 ā <a href=āhttps://support.citrix.com/article/CTX256712ā>https://support.citrix.com/article/CTX256712</a> </p>
<p>Citrix XenServer 7.0: CTX256711 ā <a href=āhttps://support.citrix.com/article/CTX256711ā>https://support.citrix.com/article/CTX256711</a> </p>
</div>
</div>
</div>
<hr />
</div>
<div>
<h2> What Citrix Is Doing</h2>
<div>
<div>
<div>
<div>
<div>
<p>Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at <u> <a href=āhttp://support.citrix.com/ā>http://support.citrix.com/</a></u>.</p>
</div>
</div>
</div>
</div>
</div>
<hr />
</div>
<div>
<h2> Obtaining Support on This Issue</h2>
<div>
<div>
<div>
<div>
<div>
<p>If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at <u> <a href=āhttps://www.citrix.com/support/open-a-support-case.htmlā>https://www.citrix.com/support/open-a-support-case.html</a></u>. </p>
</div>
</div>
</div>
</div>
</div>
<hr />
</div>
<div>
<h2> Reporting Security Vulnerabilities</h2>
<div>
<div>
<div>
<div>
<div>
<p>Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For guidance on how to report security-related issues to Citrix, please see the following document: CTX081743 ā <a href=āhttp://support.citrix.com/article/CTX081743ā>Reporting Security Issues to Citrix</a></p>
</div>
</div>
</div>
</div>
</div>
<hr />
</div>
<div>
<h2> Changelog</h2>
<div>
<div>
<div>
<table border=ā1ā width=ā100%ā>
<tbody>
<tr>
<td>Date </td>
<td>Change</td>
</tr>
<tr>
<td>8th July 2019</td>
<td>Initial Publication</td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
<hr />
</div>
</div></div>
</section>
CPE | Name | Operator | Version |
---|---|---|---|
citrix xenserver | eq | 8.0 | |
citrix xenserver | eq | 7.6 | |
citrix xenserver | eq | 7.1 LTSR CU2 | |
citrix xenserver | eq | 7.0 |
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.8 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C