Hash: SHA256

             AUSCERT External Security Bulletin Redistribution

    Citrix ShareFile storage zones Controller multiple security updates
                               25 June 2020


        AusCERT Security Bulletin Summary

Product:           CItrix ShareFile
Publisher:         Citrix
Operating System:  Windows
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Access Confidential Data -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-8983 CVE-2020-8982 CVE-2020-7473

Original Bulletin: 

Revision History:  June 25 2020: Vendor released minor update
                   May   6 2020: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

Citrix ShareFile storage zones Controller multiple security updates

Reference: CTX269106

Category : Critical

Created  : 05 May 2020

Modified : 24 Jun 2020

Applicable Products

  o ShareFile

Description of Problem

Security issues have been identified in customer-managed Citrix ShareFile
storage zone controllers. These vulnerabilities, if exploited, would allow an
unauthenticated attacker to compromise the storage zones controller potentially
giving an attacker the ability to access ShareFile users' documents and

These issues have been given the following identifiers:

  o CVE-2020-7473
  o CVE-2020-8982
  o CVE-2020-8983

Customer-managed storage zones created using the following versions of the
storage zones controller are affected:

  o ShareFile storage zones Controller 5.9.0
  o ShareFile storage zones Controller 5.8.0
  o ShareFile storage zones Controller 5.7.0
  o ShareFile StorageZones Controller 5.6.0
  o ShareFile StorageZones Controller 5.5.0
  o All earlier versions of ShareFile StorageZones Controller

Storage zones created using the recently released versions of storage zones
controllers listed below are not affected:

  o Storage Zones Controller 5.10.0 and later 5.10 releases
  o Storage Zones Controller 5.9.2 and later 5.9 releases
  o Storage Zones Controller 5.8.2 and later 5.8 releases
  o Storage Zones Controller 5.7.2 and later 5.7 releases
  o ShareFile StorageZones Controller 5.6.2 and later 5.6 releases
  o ShareFile StorageZones Controller 5.5.2 and later 5.5 releases

Storage zones created using a vulnerable version of the storage zones
controller are at risk even if the storage zones controller has been
subsequently updated.

What Customers Should Do

Customers with Citrix-managed storage zones do not need to take any action. 
Customers with customer-managed storage zones should ensure they are running on
a supported version. In order to address the issue customers are strongly
recommended to run the mitigation tool as soon as possible on the storage zone
controllers managing each impacted storage zone by following the guidance in
the following support article:



Citrix thanks Danske Bank Red-Team for working with us on CVE-2020-8982 and
CVE-2020-8983 to protect Citrix customers. Citirix would also like to
thankDaniel Jensen for working with us to protect Citrix customers.


|Date                    |Change                                              |
|2020-05-05              |Initial publication                                 |
|2020-06-24              |Fixed versions updated                              |

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967