Yesterday, Citrix released two Security Bulletins related to TLS vulnerabilities with Citrix NetScaler v10.5 up to 12.0. These are:
- CTX230238 (CVE-2017-17382): TLS Padding Oracle Vulnerability in Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway, and
- CTX230612 (CVE-2017-17549): Information Disclosure in Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway Client TLS Handshake – VPX only.
Citrix recommends a firmware update of all affected NetScaler / Gateway instances to these builds (or newer):
- Citrix NetScaler ADC and NetScaler Gateway 12.0 build 53.22 and later,
- Citrix NetScaler ADC and NetScaler Gateway 11.1 build 56.19 and later,
- Citrix NetScaler ADC and NetScaler Gateway 11.0 build 71.22 and later,
- Citrix NetScaler ADC and NetScaler Gateway 10.5 build 67.13 and later.