CVE-2009-3555 – Transport Layer Security Renegotiation Vulnerability

Description of Problem

A vulnerability has been discovered in the Transport Layer Security (TLS) and Secure Socket Layer (SSL) protocols that could allow an attacker to inject malicious content at the beginning of a protected stream.

This vulnerability has been assigned the following CVE:

    • CVE-2009-3555: TLS Protocol Session Renegotiation Security Vulnerability

Citrix is actively assessing the possible impact of this issue on our current product range; details of any products known to be affected by this vulnerability will be added to this document as the investigation progresses. A current version of this document is available at the following address:

http://support.citrix.com/article/CTX123359

Citrix recommends that customers periodically review this document to ensure that they are kept up to date with its contents.

What Customer Should Do

A fix for this vulnerability has been released in the following products:

Citrix Online Plug-In for Windows:

Online Plug-in for Windows version 12.1

http://www.citrix.com/English/ss/downloads/details.asp?downloadId=2304987&productId=186&c1=sot2755

Citrix Secure Gateway:

Secure Gateway version 3.0 Hotfix 10

http://support.citrix.com/article/CTX121844

The following versions of Secure Gateway include a fix for secure renegotiation, and replace previously released versions of Secure Gateway.

Secure Gateway version 3.1.5

EN – http://support.citrix.com/article/CTX127793

JP – http://support.citrix.com/article/CTX127794

Secure Gateway version 3.2.1

EN – http://support.citrix.com/article/CTX126521

JP – http://support.citrix.com/article/CTX125250

Citrix XenApp (formerly known as Presentation Server):

Citrix XenApp 6 for Windows Server 2008 R2:

EN – http://support.citrix.com/article/CTX126679

FR – http://support.citrix.com/article/CTX128626

DE – http://support.citrix.com/article/CTX128627

JA – http://support.citrix.com/article/CTX128628

Citrix XenApp 5 for Windows Server 2008 x86:

EN – http://support.citrix.com/article/CTX126499

FR – http://support.citrix.com/article/CTX126500

DE – http://support.citrix.com/article/CTX126501

JA – http://support.citrix.com/article/CTX126502

ES – http://support.citrix.com/article/CTX126503

Citrix XenApp 5 for Windows Server 2008 x64:

EN – http://support.citrix.com/article/CTX126504

FR – http://support.citrix.com/article/CTX126505

DE – http://support.citrix.com/article/CTX126506

JA – http://support.citrix.com/article/CTX126507

ES – http://support.citrix.com/article/CTX126508

Citrix Presentation Server 4.5 with Feature Pack/XenApp 5 for Windows Server 2003 x86:

EN – http://support.citrix.com/article/CTX126460

FR – http://support.citrix.com/article/CTX126463

DE – http://support.citrix.com/article/CTX126461

JA – http://support.citrix.com/article/CTX126462

ES – http://support.citrix.com/article/CTX126464

Citrix Presentation Server 4.5 with Feature Pack/XenApp 5 for Windows Server 2003 x64:

EN – http://support.citrix.com/article/CTX126466

FR – http://support.citrix.com/article/CTX126469

DE – http://support.citrix.com/article/CTX126467

JA – http://support.citrix.com/article/CTX126468

ES – http://support.citrix.com/article/CTX126570

Citrix Access Essentials/XenApp Fundamentals 3.0:

EN – http://support.citrix.com/article/CTX126499

FR – http://support.citrix.com/article/CTX126500

DE – http://support.citrix.com/article/CTX126501

JA – http://support.citrix.com/article/CTX126502

ES – http://support.citrix.com/article/CTX126503

Citrix Access Essentials 2.0:

EN – http://support.citrix.com/article/CTX126460

FR – http://support.citrix.com/article/CTX126463

DE – http://support.citrix.com/article/CTX126461

JA – http://support.citrix.com/article/CTX126462

ES – http://support.citrix.com/article/CTX126464

Citrix NetScaler:

Appliance firmware version 8.1, build 68.7 or later, and version 9.1, build 99.8 or later. These builds are available at the following location:

https://www.citrix.com/English/ss/downloads/results.asp?productID=21679

Citrix Access Gateway Enterprise Edition:

Application software version 8.1, build 68.7 or later, and version 9.1, build 99.8 or later. These builds are available at the following location:

https://www.citrix.com/English/ss/downloads/results.asp?productID=15005&c1=pov1680613

Information on configuring Citrix NetScaler and Access Gateway Enterprise Edition can be found at the following location:

http://support.citrix.com/article/CTX123680

Citrix Access Gateway Standard Edition:

Appliance software version 4.6.2 or later. These builds are available at the following location:

https://www.citrix.com/English/ss/downloads/results.asp?productID=15005&c1=pov1680611&c2=sot36239

Citrix XenServer:

Citrix XenServer version 5.0 Update 3 and later, available from the following location:

http://support.citrix.com/article/CTX125318

Citrix XenServer version 5.5 Update 2 and later, available from the following location:

http://support.citrix.com/article/CTX125519

What Citrix Is Doing

Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at http://support.citrix.com/.

Obtaining Support on This Issue

If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at http://www.citrix.com/site/ss/supportContacts.asp.

Reporting Security Vulnerabilities to Citrix

Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. If you would like to report a security issue to Citrix, please compose an e-mail to secure@citrix.com stating the exact version of the product in which the vulnerability was found and the steps needed to reproduce the vulnerability.

Related:

  • No Related Posts

Leave a Reply