Systems Engineering is aware of the vulnerabilities recently found in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway). Exploits on unmitigated appliances have been observed.
Citrix rates these vulnerabilities as CRITICAL
Citrix has released a security bulletin addressing three (3) vulnerabilities: CVE-2023-3519, CVE-2023-3466, and CVE-2023-3467. These vulnerabilities could potentially allow an attacker to gain unauthorized access to sensitive information or execute arbitrary code on affected systems.
- This vulnerability is related to improper input validation in Citrix ADC and Citrix Gateway.
- CVE-2023-3466 and CVE-2023-3467
- These vulnerabilities involve improper handling of certain requests by Citrix ADC and Citrix Gateway.
The following supported versions of NetScaler are impacted:
- NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13
- NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13
- NetScaler ADC 13.1-FIPS before 13.1-37.159
- NetScaler ADC 12.1-FIPS before 12.1-55.297
- NetScaler ADC 12.1-NDcPP before 12.1-55.297
Course of Action
Citrix has released patches to address these vulnerabilities. For clients with Network Administration and SE Essentials services, we are presently working to patch affected versions of NetScaler.
For all other clients, we strongly recommend you update impacted systems with the latest security patches as soon as possible. Citrix has provided instructions in their security advisory here.
If you are a Systems Engineering client and have questions about this Security Alert, please contact your Account Manager.