Citrix ADC Vulnerability CVE-2019-19781
Last Wednesday I got an update email from the Citrix Heroes community ran by DJ Eshelman about a new vulnerability which has been found with Citrix ADC appliances. Fortunately my home lab hasn’t been powered up much this past few weeks but today I decided to apply the mitigation steps to my VPX in case.
DJ is keeping an updated post on his site ctxpro.com here which also has links to the official Citrix vulnerability announcement CVE-2019-19781, as well as the mitigation steps support article CTX267679.
DJ’s page also includes what is known so far about the vulnerability, links to a US Government web page which provides a method of checking for the flaw here, and a link to nerdscaler.com’s post on some of the indicators noted so far on where .xml files are stored on the appliance here.
I’ve now applied to the mitigation steps to my VPX but will probably keep it offline until the fixed firmware is released for version 13.0 appliances which is currently expected to be on the 24th of January 2020. Once the new firmware is released I think it may even be time for a full rebuild as it’s also a good opportunity to clean out any testing configurations that I haven’t tidied up !
Top effort by DJ and the Citrix community at large for getting this message out and I must admit that I would have missed it if I wasn’t part of the Citrix Heroes group !