Citrix ShareFile storage zones Controller multiple security updates

2020-11-09T09:09:02
ID CTX269106
Type citrix
Reporter Citrix
Modified 2020-06-24T04:00:00

Description

<section class="article-content" data-swapid="ArticleContent"> <div class="content-block" data-swapid="ContentBlock"><div> <div> <h2> Description of Problem</h2> <div> <div> <div> <p>Security issues have been identified in customer-managed Citrix ShareFile storage zone controllers. These vulnerabilities, if exploited, would allow an unauthenticated attacker to compromise the storage zones controller potentially giving an attacker the ability to access ShareFile users’ documents and folders.</p> <p>These issues have been given the following identifiers:</p> <ul> <li>CVE-2020-7473</li> <li>CVE-2020-8982</li> <li>CVE-2020-8983</li> </ul> <p> </p> <p>Customer-managed storage zones <u>created</u> using the following versions of the storage zones controller are affected:</p> <ul> <li>ShareFile storage zones Controller 5.9.0</li> <li>ShareFile storage zones Controller 5.8.0</li> <li>ShareFile storage zones Controller 5.7.0</li> <li>ShareFile StorageZones Controller 5.6.0</li> <li>ShareFile StorageZones Controller 5.5.0</li> <li>All earlier versions of ShareFile StorageZones Controller</li> </ul> <p> </p> <p>Storage zones <u>created</u> using the recently released versions of storage zones controllers listed below are not affected:</p> <ul> <li>Storage Zones Controller 5.10.0 and later 5.10 releases</li> <li>Storage Zones Controller 5.9.2 and later 5.9 releases</li> <li>Storage Zones Controller 5.8.2 and later 5.8 releases</li> <li>Storage Zones Controller 5.7.2 and later 5.7 releases</li> <li>ShareFile StorageZones Controller 5.6.2 and later 5.6 releases</li> <li>ShareFile StorageZones Controller 5.5.2 and later 5.5 releases</li> </ul> <p> </p> <p>Storage zones created using a vulnerable version of the storage zones controller are at risk even if the storage zones controller has been subsequently updated.</p> </div> </div> </div> </div> <div> <h2> What Customers Should Do</h2> <div> <div> <div> <p>Customers with Citrix-managed storage zones do not need to take any action. <span>Customers with customer-managed storage zones should ensure they are running on a supported version. In order to address the issue customers are strongly recommended to run the mitigation tool as soon as possible on the storage zone controllers managing each impacted storage zone by following the guidance in the following support article:</span></p> <p> <a href="https://support.citrix.com/article/CTX269341">https://support.citrix.com/article/CTX269341</a><u></u></p> </div> </div> </div> </div> <div> <h2> Acknowledgements</h2> <div> <div> <div> <p>Citrix thanks Danske Bank Red-Team for working with us on CVE-2020-8982 and CVE-2020-8983 to protect Citrix customers. Citirix would also like to thank Daniel Jensen (@dozernz) for working with us to protect Citrix customers.</p> </div> </div> </div> </div> <div> <h2> What Citrix Is Doing</h2> <div> <div> <div> <p>Citrix is notifying customers and channel partners with customer-managed storage zone controllers about this potential security issue. This article is also available from the Citrix Knowledge Center at <a href="http://support.citrix.com/">http://support.citrix.com/</a>.</p> </div> </div> </div> </div> <div> <h2> Obtaining Support on This Issue</h2> <div> <div> <div> <div> <div> <p>If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at <u> <a href="https://www.citrix.com/support/open-a-support-case.html">https://www.citrix.com/support/open-a-support-case.html</a></u>. </p> </div> </div> </div> </div> </div> </div> <div> <h2> Reporting Security Vulnerabilities</h2> <div> <div> <div> <p>Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For details on our vulnerability response process and guidance on how to report security-related issues to Citrix, please visit the Citrix Trust Center at <a href="https://www.citrix.com/about/trust-center/vulnerability-process.html">https://www.citrix.com/about/trust-center/vulnerability-process.html</a>.<br/> </p> </div> </div> </div> </div> <div> <h2> Changelog</h2> <div> <div> <div> <table width="100%"> <tbody> <tr> <td colspan="1" rowspan="1">Date </td> <td colspan="1" rowspan="1">Change</td> </tr> <tr> <td colspan="1" rowspan="1">2020-05-05</td> <td colspan="1" rowspan="1">Initial publication</td> </tr> <tr> <td colspan="1" rowspan="1">2020-06-24</td> <td colspan="1" rowspan="1">Fixed versions updated</td> </tr> </tbody> </table> </div> </div> </div> </div> </div></div> </section>