CVE-2019-6485 – TLS Padding Oracle Vulnerability in Citrix Application Delivery Controller (ADC) and NetScaler Gateway

A vulnerability has been identified in the Citrix Application Delivery Controller (ADC) formally known as NetScaler ADC and NetScaler Gateway platforms using hardware acceleration that could allow an attacker to exploit the appliance to decrypt TLS traffic. This vulnerability does not directly allow an attacker to obtain the TLS private key.

This vulnerability has been assigned the following CVE:

• CVE-2019-6485: TLS Padding Oracle Vulnerability in Citrix Application Delivery Controller (ADC) and NetScaler Gateway

Platforms not on the list below and running the following versions of Citrix ADC and NetScaler Gateway are impacted, including Citrix ADC instances on affected SDX platforms using hardware acceleration via an assigned virtual function (VF):

• Citrix ADC and NetScaler Gateway version 12.1 earlier than build 50.31

• Citrix ADC and NetScaler Gateway version 12.0 earlier than build 60.9

• Citrix ADC and NetScaler Gateway version 11.1 earlier than build 60.14

• Citrix ADC and NetScaler Gateway version 11.0 earlier than build 72.17

• Citrix ADC and NetScaler Gateway version 10.5 earlier than build 69.5

The following platforms are not affected and do not require the firmware update:

• MPX 5900 series

• MPX/SDX 8900 series

• MPX/SDX 15000-50G

• MPX/SDX 26000-50S series

• MPX/SDX 26000-100G series

• MPX/SDX 26000 series

• VPX

How to check your platform: https://docs.citrix.com/en-us/netscaler/12/ssl/support-for-mpx-5900-8900-platforms.html

Related:

  • No Related Posts

Leave a Reply