Security advisories

Citrix Releases Critical Security Patches

January 20, 2020 | 1 MIN READ

Speak With A Security Expert Now

TALK TO AN EXPERT

The Threat:

On January 19th, 2020, Citrix released patches for two vulnerable versions of Citrix ADC and Citrix Gateway products [1]. These patches address the critical code execution vulnerability reported in previous advisories [2]. This vulnerability is being actively exploited in the wild for multiple malicious purposes; it is highly recommended to apply the available patches as soon as possible.

What we’re doing about it:

What you should do about it:

Additional information:

CVE-2019-19781 allows simple directory traversal by a remote attacker in Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. Additionally, the vulnerability affects the Citrix SD-WAN WANOP appliance, versions 10.2.6 and 11.0.3.

It should be noted that the mitigation actions supplied by Citrix do not work on Citrix ADC and Citrix Gateway Release "12.1 build 50.28". If running this build, users will need update to version 12.1 build 50.28/50.31 or later.

Expected Patch Release [1]

Citrix ADC Version

Expected Patch Release Date

13

Jan 24, 2020

12.1

Jan 24, 2020

12

Jan 19, 2020 (Released)

11.1

Jan 19, 2020 (Released)

10.5

Jan 24, 2020

Citrix SD-WAN WANOP

Expected Patch Release Date

10.2.6

Jan 24, 2020

11.0.3

Jan 24, 2020

References:

[1] https://support.citrix.com/article/CTX267027

[2] https://www.esentire.com/security-advisories/critical-update-to-citrix-vulnerability-exploited/

[3] https://www.citrix.com/downloads/citrix-adc/

[4] https://www.citrix.com/downloads/citrix-gateway/

[5] https://support.citrix.com/article/CTX267679

[6] https://support.citrix.com/article/CTX269180

View Most Recent Advisories