-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2022.6296
 CVE-2014-0160 - Citrix Security Advisory for the Heartbleed vulnerability
                              2 December 2022

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Citrix products
Publisher:         Citrix
Operating System:  Windows
                   UNIX variants (UNIX, Linux, OSX)
Resolution:        Patch/Upgrade
CVE Names:         CVE-2015-0160 CVE-2014-0160 

Original Bulletin: 
   https://support.citrix.com/article/CTX140605/cve20140160-citrix-security-advisory-for-the-heartbleed-vulnerability

Comment: CVSS (Max):  7.5* CVE-2014-0160 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
         CVSS Source: NVD
         Calculator:  https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

- --------------------------BEGIN INCLUDED TEXT--------------------

CVE-2014-0160 - Citrix Security Advisory for the Heartbleed vulnerability

Reference: CTX140605
Category : None
Created  : 09 April 2014
Modified : 15 August 2019

Overview

A vulnerability has been recently disclosed in OpenSSL that could result in
remote attackers being able to obtain sensitive data from the process address
space of a vulnerable OpenSSL server or client.

The issue has been assigned the following CVE identifier and is also known as
the Heartbleed vulnerability:

CVE-2014-0160: https://cve.mitre.org/cgi-bin/cvename.cginame=CVE-2014-0160

What Citrix is Doing

Citrix has analyzed the impact of this issue on currently supported products.
The following sections of this advisory provide impact information on each
product.

Products That Require Citrix Updates:

    o HDX RealTime Optimization Pack for Microsoft Lync 2010: This component is
    vulnerable to CVE-2014-0160. An updated version of this component has been
    released to address this issue. Citrix recommends customers deploy these
    patches as soon as possible. These patches can be found on our website at
    the following locations:

    o Windows - https://support.citrix.com/article/CTX140719

    o Mac - https://support.citrix.com/article/CTX140730

    o Linux - https://support.citrix.com/article/CTX140732

    o Citrix XenMobile App Controller: XenMobile App Controller versions 2.9
    and 2.10 are vulnerable to CVE-2014-0160. Patches have been released to
    address this issue for both App controller 2.9 and 2.10. Citrix recommends
    that customers deploy these patches as soon as possible. These patches are
    available from the following location: https://www.citrix.com/downloads/
    xenmobile/product-software.html . Further information on this can be found
    in the following blog post: http://blogs.citrix.com/2014/04/15/
    citrix-xenmobile-security-advisory-for-heartbleed/ .

    o Citrix XenMobile MDX Toolkit & SDK: MDX Toolkit and SDK Versions 2.2.1
    (XenMobile 8.6.1) and 2.3.61 (XenMobile 8.7) use a vulnerable version of
    OpenSSL when wrapping iOS applications. Enterprise-ready mobile apps on the
    Worx App Gallery that use this version of Worx SDK also use a vulnerable
    version of OpenSSL. Outgoing micro VPN network connections to Access
    Gateway from iOS applications that were wrapped, or Worx SDK enabled, with
    this version will be encapsulated in a TLS connection that uses a
    vulnerable version of OpenSSL. Citrix has released a new version of the MDX
    Toolkit & SDK for iOS and Android Build MDX Toolkit; this can be found on
    the Citrix website at the following address: https://www.citrix.com/
    downloads/xenmobile/product-software.html . Wrapped Android applications
    make use of the underlying Android version of OpenSSL, Citrix advises
    customers to check with their device vendors to ensure that the underlying
    Android version is not vulnerable to CVE-2014-0160.

    o Citrix XenMobile Worx components for iOS: Worx Home for iOS version 8.7
    uses a vulnerable version of OpenSSL. A new version of this software,
    8.7.1.27, can be downloaded from the Apple App Store at the following
    address: https://itunes.apple.com/us/app/worx-home/id434682528mt=8 .
    Customers that are using wrapped versions of iOS Worx applications are also
    advised to review the guidance on the MDX Toolkit given above.

    o Receiver for BlackBerry: The Receiver for BlackBerry 10 version 2.0.0.21
    is vulnerable to CVE-2014-0160. A new version of the Receiver for
    BlackBerry 10, 2.0.0.22, can be downloaded from the BlackBerry World
    website at the following address: http://appworld.blackberry.com/webstore/
    content/34621918 . Receiver for PlayBook version 1.0.0 and Receiver for
    BlackBerry version 2.2 are not vulnerable to CVE-2014-0160.

    o Citrix Licensing: The Citrix License Server for Windows version 11.11.1,
    the Citrix License Server VPX version 11.12 and the Citrix Usage Collector
    are vulnerable to CVE-2015-0160. New versions of the License Server for
    Windows , 11.11.1.13017, and the License Server VPX, 11.12.14001, can be
    downloaded from the Citrix website at the following address: https://
    www.citrix.com/downloads/licensing/license-server.html

    o Citrix CloudPlatform: The TLS interface exposed by the Secondary Storage
    VM in Cloud Platform versions 4.2.0, 4.2.1-x and 4.3.0.0 use a version of
    OpenSSL that is vulnerable to CVE-2014-0160. Citrix has released updated
    system virtual machine templates to resolve this issue. Citrix recommends
    that customers update the system virtual machine templates to a patched
    version and then reboot any Secondary Storage VMs to ensure that the
    updated OpenSSL version is being used. Instructions on updating the system
    virtual machine templates can be found in the following Citrix knowledge
    base article https://support.citrix.com/article/CTX200024 .

    o Citrix XenClient XT: XenClient XT versions 3.1.4, 3.2.0, and 3.2.1 are
    vulnerable to CVE-2014-0160. A new version of XenClient XT, 3.2.2, is
    available on the Citrix website at the following address: https://
    www.citrix.com/downloads/xenclient/product-software/xenclient-xt-322.html .
    The XenClient XT Synchronizer makes use of the platform provided OpenSSL
    library. Customers are advised to verify that the version of OpenSSL
    installed on the underlying Linux Operating System is not vulnerable to
    CVE-2014-0160.

    o Citrix XenClient Enterprise: Some versions of XenClient Enterprise Engine
    are vulnerable to CVE-2014-0160. In deployments where the XenClient
    Synchronizer is only accessed via fully trusted networks, the level of
    exposure is reduced. The TLS libraries used by currently supported versions
    of the XenClient Enterprise Synchronizer are not vulnerable to
    CVE-2014-0160. The following versions of XenClient Enterprise Engine are
    vulnerable to CVE-2014-0160:

    o 4.1.0, 4.1.1, 4.1.2, 4.1.3, and 4.1.4. Citrix has released a new version
    of the XenClient Enterprise engine, 4.1.5. This can be found at the
    following address: https://www.citrix.com/downloads/xenclient/
    product-software/xenclient-enterprise-41.html

    o 4.5.1, 4.5.2, 4.5.3, 4.5.4, and 4.5.5. Citrix has released a new version
    of the XenClient Enterprise engine, 4.5.6. This can be found at the
    following address: https://www.citrix.com/downloads/xenclient/
    product-software/xenclient-enterprise-45

    o 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4 and 5.0.5. Citrix has released a new
    version of the XenClient Enterprise engine, 5.0.6. This can be found at the
    following address: https://www.citrix.com/downloads/xenclient/
    product-software/xenclient-enterprise-50.html

    o 5.1.0, and 5.1.1. Citrix has released a new version of XenClient
    Enterprise, 5.1.2. This can be found at the following address: https://
    www.citrix.com/downloads/xenclient/product-software/
    xenclient-enterprise-51.html .

    o Citrix DesktopPlayer for Mac: DesktopPlayer for Mac version 1.0.x up to
    and including version 1.0.3 is vulnerable to CVE-2014-0160. A new version
    of the Desktop Player for Mac, 1.0.4, is available on the Citrix website at
    the following address: https://www.citrix.com/downloads/
    desktopplayer-for-mac/product-software/desktopplayer-for-mac-10.html . The
    TLS libraries used by currently supported versions of the DesktopPlayer
    Synchronizer are not vulnerable to CVE-2014-0160.

Products That May Require Third Party Updates:

    o Citrix XenDesktop 7.5: Customers deploying Virtual Desktop Agents that
    are hosted on Citrix CloudPlatform are advised to verify that the volume
    worker template is using a version of OpenSSL that is not vulnerable to
    CVE-2014-0160. Setup instructions for the volume worker template on
    CloudPlatform can be found in the following document: https://
    support.citrix.com/article/CTX140428 . Amazon Web Services based
    deployments use the Linux AMI template. Guidance from Amazon covering VMs
    based on this template can be found at the following location: https://
    aws.amazon.com/amazon-linux-ami/security-bulletins/ALAS-2014-320/ .

    o Citrix Receiver for Android: Receiver for Android makes use of the
    OpenSSL library provided by the underlying Android platform. Citrix advises
    customers to check with their device vendors to ensure that the underlying
    Android version is not vulnerable to CVE-2014-0160. An initial statement by
    Google on Android can be found here: http://
    googleonlinesecurity.blogspot.co.uk/2014/04/
    google-services-updated-to-address.html .

    o Citrix XenMobile Worx components for Android: Worx components running on
    Android make use of the OpenSSL library provided by the underlying Android
    platform. Citrix advises customers to check with their device vendors to
    ensure that the underlying Android version is not vulnerable to
    CVE-2014-0160. An initial statement from Google on Android can be found
    here: http://googleonlinesecurity.blogspot.co.uk/2014/04/
    google-services-updated-to-address.html .

    o Citrix Receiver for Linux: The TLS libraries included in currently
    supported versions of Receiver for Linux are not vulnerable to
    CVE-2014-0160. Version 13.0 of the Receiver for Linux also makes use of the
    platform provided OpenSSL library. Customers using this version are advised
    to ensure that the version of OpenSSL installed on the underlying Linux
    Operating System is not vulnerable to CVE-2014-0160.

    o Citrix Web Interface: Web Interface makes use of the TLS functionality
    provided by the underlying web server. Citrix customers are advised to
    verify that any deployed web servers used to host Web Interface are not
    vulnerable to this issue. Web Interface can also use a built-in TLS library
    to make outgoing TLS connections, this library is not vulnerable to
    CVE-2014-0160.

    o Citrix CloudPortal Business Manager: This product does not include any
    TLS libraries and, as such, is not vulnerable to CVE-2014-0160. Some
    customer deployments may make use of an additional SSL proxy component;
    Citrix advises customers to contact the vendors of any SSL proxy components
    being used to determine if they are vulnerable to CVE-2014-0160.

Products That Are Not Impacted:

    o Citrix Provisioning Services: Currently supported versions of Citrix
    Provisioning Services are not affected by CVE-2014-0160.

    o Citrix XenServer: The TLS libraries used by currently supported versions
    of XenServer are not vulnerable to CVE-2014-0160.

    o Citrix VDI-in-a-Box: The TLS libraries used by currently supported
    versions of VIAB are not vulnerable to CVE-2014-0160.

    o Citrix XenMobile MDM Edition: The TLS libraries used by components of
    XenMobile MDM edition, including the XenMobile Device Manager component,
    are not vulnerable to CVE-2014-0160 .

    o Citrix CloudPortal Services Manager: The TLS libraries used by currently
    supported versions of CloudPortal Services Manager are not vulnerable to
    CVE-2014-0160.

    o Citrix Receiver for Windows: The TLS libraries used by currently
    supported versions of Receiver for Windows are not vulnerable to
    CVE-2014-0160.

    o Citrix Receiver for Mac: The TLS libraries used by currently supported
    versions of Receiver for Mac are not vulnerable to CVE-2014-0160.

    o Citrix Receiver for iOS: The TLS libraries used by currently supported
    versions of Receiver for iOS are not vulnerable to CVE-2014-0160.

    o Citrix ByteMobile: The TLS libraries used by currently supported versions
    of ByteMobile are not vulnerable to CVE-2014-0160.

    o Citrix NetScaler: The TLS libraries used by currently supported versions
    of the NetScaler product are not vulnerable to CVE-2014-0160.

    o Citrix Access Gateway : The TLS libraries used by currently supported
    versions of Access Gateway are not vulnerable to CVE-2014-0160.

    o Citrix CloudBridge: The TLS libraries used by currently supported
    versions of Citrix CloudBridge, including client components, are not
    vulnerable to CVE-2014-0160.

    o Citrix Secure Gateway (CSG): The TLS library used by the currently
    supported version of CSG is not vulnerable to CVE-2014-0160.

    o Citrix XenApp SSLRelay Component: The TLS libraries used by currently
    supported versions of the XenApp SSLRelay are not vulnerable to
    CVE-2014-0160.

    o Citrix Single Sign-on, previously known as Password Manager: The TLS
    libraries used by currently supported versions of Citrix Single Sign-on are
    not vulnerable to CVE-2014-0160.

    o Citrix StoreFront: The TLS library used by currently supported versions
    of Citrix Storefront is not vulnerable to CVE-2014-0160.

    o Citrix Merchandising Server: The TLS library used by the currently
    supported version of Citrix Merchandising Server is not vulnerable to
    CVE-2014-0160.

Obtaining Support on This Issue

If you require technical assistance with this issue, please contact Citrix
Technical Support. Contact details for Citrix Technical Support are available
at http://www.citrix.com/site/ss/supportContacts.asp . More information on the
support status of Citrix products can be found on our website at the following
address: http://www.citrix.com/support/product-lifecycle/product-matrix.html .

Reporting Security Vulnerabilities to Citrix

Citrix welcomes input regarding the security of its products and considers any
and all potential vulnerabilities seriously. Citrix welcomes input regarding
the security of its products and considers any and all potential
vulnerabilities seriously. For guidance on how to report security-related
issues to Citrix, please see the following document: CTX081743 - Reporting
Security Issues to Citrix

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/

iQIVAwUBY4mK0skNZI30y1K9AQiPPRAAolDhjrDYnoqzVGtrlko7KB7frzj+S+PH
a+M/sSql4/KWKtXToZCCyg7mLyIYdsCf5wEBY6F8t/8CQj8JAGOxT1K9Mek24BB2
vlUSc6hpTcpewkIuxW2tsCKfojggi5+jnj/VuVYLpEGEofSEayEMZhdbprZBENaL
DqKX0lnlEo9oWzU6T1t/SHlwzPGVuZ2dJntR+olypPhraWq9vfmjzaWqnCriFNLs
vodfwC0UMJHI+kx1sJ+sMwQstM9ijIE/VOqgcM9vtPKEh1Cdn+Rcc/d2+WAw5JF7
jeIgfyWjQXZmcVVIsqy7avpUrC8QF+67DYKBO56T0ZmcWLzHMZR+ehYrBy9GEA4c
dSmiAk5bGqqC2dq1Cb6hJQPSkjp+Z/st29P1RCxy5UZDkLDTZWFHEt29qhAObtUD
+ePjmZRudpywO2kHSdrGk8k6LRXfxh+cX3rRGwWo3rmr1L35R1uhABn4i2jCEVK5
PcEVgvU2epIysVeO29xgsU7JezmMkg2Ul0RpCFtIr/baYez0TFMWFpIRz1w0mUpq
l4O83NUjQkoSj2j2PigIBXcoS8FvQheGCOZGMuUtZNvKmx7ReMbxqzVAUKr+UT5W
i0kqniiq7S7LjicjJlohftLKVfN8XRW0ycPR3xiLQhzyP03UZmAFQsrn127vBCm4
PWqMCX1tNtg=
=UlRz
-----END PGP SIGNATURE-----