Multiple Citrix products reported vulnerable to regreSSHion flaw

Cloud Software Group has acknowledged the existence of a critical security vulnerability, CVE-2024-6387, impacting OpenSSH. This flaw, identified by Qualys, is a remote unauthenticated code execution vulnerability found in OpenSSH’s server (sshd) on glibc-based Linux systems. Termed "regreSSHion," this vulnerability is a regression of the previously patched CVE-2006-5051 reported in 2006.

Customers should apply the latest updates where available.

Products Status:

NetScaler & Citrix Products:

• NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway)

  • Impacted Versions:
    • NetScaler ADC and NetScaler Gateway 14.1-25.56 and later
    • NetScaler ADC and NetScaler Gateway 13.1-53.24 and later releases of 13.1
    • NetScaler ADC and NetScaler Gateway 13.0-92.31 and later releases of 13.0
    • NetScaler ADC 13.1-FIPS 13.1-37.190 and later releases of 13.1-FIPS
    • NetScaler ADC 12.1-FIPS 12.1-55.309 and later releases of 12.1-FIPS
    • NetScaler ADC 12.1-NDcPP 12.1-55.309 and later releases of 12.1-NDcPP

• NetScaler Console (formerly Citrix ADM)

  • Impacted Versions:
    • NetScaler Console 14.1 Build 25.56 and later
    • NetScaler Console 13.1 Build 53.24 and later releases of 13.1
    • NetScaler Console 13.0 Build 92.31 and later releases of 13.0

• Citrix Endpoint Management - Under investigation

• Citrix Secure Private Access - Under investigation

• Citrix Virtual Apps and Desktops - Not impacted

• Citrix Workspace - Not impacted

• Citrix Analytics - Not impacted

XenServer Products:

• Citrix Hypervisor - Not impacted

• XenServer 8 - Not impacted

TIBCO Products - Under evaluation. Updates will be provided as soon as more information is available.

All Cloud Software Group cloud-hosted services will be patched if impacted, and no customer action is required.