Citrix is warning that two zero-day security vulnerabilities in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) are being widely exploited.
The deficiencies are listed below –
- CVE-2023-6548 (CVSS Score: 5.5) – Authenticated (low-privilege) remote code execution on the management interface (requires access to NSIP, CLIP, or SNIP through the management interface)
- CVE-2023-6549 (CVSS Score: 8.2) – Denial of Service (Requires device to be configured as a gateway or Authorization and Accounting, or AAA, Virtual Server)
The following customer-managed versions of NetScaler ADC and NetScaler Gateway are affected by these flaws –
- NetScaler ADC and NetScaler Gateway 14.1 versions prior to 14.1-12.35
- NetScaler ADC and NetScaler Gateway 13.1 versions prior to 13.1-51.15
- NetScaler ADC and NetScaler Gateway 13.0 versions prior to 13.0-92.21
- NetScaler ADC and NetScaler Gateway version 12.1 (currently discontinued)
- NetScaler ADC 13.1-FIPS versions prior to 13.1-37.176
- NetScaler ADC 12.1-FIPS versions prior to 12.1-55.302, and
- NetScaler ADC 12.1-NDcPP versions prior to 12.1-55.302
“These CVEs have been observed being exploited on unmitigated devices,” Citrix said, without disclosing any other details. Users of NetScaler ADC and NetScaler Gateway version 12.1 are recommended to upgrade their devices to a supported version that fixes the defect.
It is also recommended not to expose the management interface to the Internet to reduce the risk of exploitation.
In recent months, multiple security vulnerabilities in Citrix devices (CVE-2023-3519 and CVE-2023-4966) have been exploited by threat actors to drop web shells and hijack existing authenticated sessions.
VMware fixes critical Aria automation flaw
This disclosure comes as VMware warns customers of a critical security vulnerability in Aria Automation (formerly vRealize Automation) that could allow an authenticated attacker to gain unauthorized access to remote organizations and workflows Access.
This issue has been assigned a CVE identifier CVE-2023-34063 (CVSS score: 9.9), which the virtualization services provider owned by Broadcom describes as a “lack of access control” flaw.
The Commonwealth Scientific and Industrial Research Organization’s (CSIRO) Scientific Computing Platforms team is credited with discovering and reporting the security flaw.
Versions affected by this vulnerability are provided below –
“The only supported upgrade path after applying the patch is to upgrade to version 8.16,” VMware said. “If you upgrade to an intermediate version, the vulnerability will reappear, requiring an additional round of patching.”
Atlassian reveals critical code execution error
This development also follows Atlassian’s release of patches for more than two dozen vulnerabilities, including critical remote code execution (RCE) flaws affecting Confluence data centers and Confluence servers.
This vulnerability, CVE-2023-22527, has been assigned a CVSS score of 10.0, indicating the highest severity. It affects versions 8.0.x, 8.1.x, 8.2.x, 8.3.x, 8.4.x, and 8.5.0-8.5.3. It is worth noting that the 7.19.x LTS version is not affected by this vulnerability.
“A template injection vulnerability in outdated versions of Confluence data centers and servers could allow an unauthenticated attacker to conduct RCE on affected versions,” the Australian company said.
This issue is resolved in versions 8.5.4, 8.5.5 (Confluence Data Center and Server), 8.6.0, 8.7.1, and 8.7.2 (Data Center only). Users with outdated instances are advised to update their installations to the latest version available.
