-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.1598
    Citrix ShareFile storage zones Controller multiple security updates
                                6 May 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           CItrix ShareFile
Publisher:         Citrix
Operating System:  Windows
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Access Confidential Data -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-8983 CVE-2020-8982 CVE-2020-7473

Original Bulletin: 
   https://support.citrix.com/article/CTX269106

- --------------------------BEGIN INCLUDED TEXT--------------------

Citrix ShareFile storage zones Controller multiple security updates

Reference: CTX269106

Category : Critical

Created  : 05 May 2020

Modified : 05 May 2020

Applicable Products

  o ShareFile

Description of Problem

Security issues have been identified in customer-managed Citrix ShareFile
storage zone controllers. These vulnerabilities, if exploited, would allow an
unauthenticated attacker to compromise the storage zones controller potentially
giving an attacker the ability to access ShareFile users' documents and
folders.

These issues have been given the following identifiers:

  o CVE-2020-7473
  o CVE-2020-8982
  o CVE-2020-8983

Customer-managed storage zones created using the following versions of the
storage zones controller are affected:

  o ShareFile storage zones Controller 5.9.0
  o ShareFile storage zones Controller 5.8.0
  o ShareFile storage zones Controller 5.7.0
  o ShareFile StorageZones Controller 5.6.0
  o ShareFile StorageZones Controller 5.5.0
  o All earlier versions of ShareFile StorageZones Controller

Storage zones created using the recently released versions of storage zones
controllers listed below are not affected:

  o Storage Zones Controller 5.10.0 and later 5.10 releases
  o Storage Zones Controller 5.9.1 and later 5.9 releases
  o Storage Zones Controller 5.8.1 and later 5.8 releases
  o Storage Zones Controller 5.7.1 and later 5.7 releases
  o ShareFile StorageZones Controller 5.6.1 and later 5.6 releases
  o ShareFile StorageZones Controller 5.5.1 and later 5.5 releases

Storage zones created using a vulnerable version of the storage zones
controller are at risk even if the storage zones controller has been
subsequently updated.

What Customers Should Do

Customers with Citrix-managed storage zones do not need to take any action. 
Customers with customer-managed storage zones should ensure they are running on
a supported version. In order to address the issue customers are strongly
recommended to run the mitigation tool as soon as possible on the storage zone
controllers managing each impacted storage zone by following the guidance in
the following support article:

https://support.citrix.com/article/CTX269341

Acknowledgements

Citrix thanks Danske Bank Red-Team for working with us on CVE-2020-8982 and
CVE-2020-8983 to protect Citrix customers.

Changelog

+--------------------------+--------------------------------------------------+
|Date                      |Change                                            |
+--------------------------+--------------------------------------------------+
|2020-05-05                |Initial publication                               |
+--------------------------+--------------------------------------------------+

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXrIPc2aOgq3Tt24GAQg4Jw//UYODl9bk8shcgUy10Uhq7Ivzbu22UOIm
6hOSQl4d2dqiN3NoAEXoxBdWjk3NYRmCax+VcFb37fut4WPhSAqGMjxj2Rc+3aZ0
857zzyqKtYbGTMRxq7npnlapSP+32R5xNjUXLSHLn67fGskTcgsCJhlQHbJv9Psh
pDZHtHhlHpePx0Y9qUpjgDV2eUUu3WLPckwKO5DgqPNhnXP2aqRsxXp2G/0M0HmX
EpqVqnjMWQXd4MYoxAxlgZyT3YZZlNiApuFnPyzHt3AtG9fjEwbarIU1i6pyHPob
Nr/vAo9WnAF43xtlKGicEUVq5SgF7bkJcwvxIAnRSGHkFNDEbUhTLqu+W2fPMd1V
TGI48volw6/iMK3mRJNsQyj+5tlofy5ovXVukAC+rit6FzOmxyGDqEJoxR4DJoNg
UwUhma2afa4itpfDqSULSohxgDdkk096hVWwNznQ9V1nuZpUTz46B6X87pXwwIDp
XARAxKW+QWtV8FufDAHRM5ZmBO2IOLHgw0jXsNWXBulcVuprD+dWslr0CcZcEE6G
MB3YHh2YJHxXPwfA7K7mR6X5SCkNCf04fgP53i8qdr40L6xafUmJdnmwu30Bb+Ir
VWYgLtnHyU879M8+AC57/tsZkdyihgM0dTKid4fg6aQxDGdezh+ZhPA54FWT6b3z
nvPM4KfeoSI=
=7SWa
-----END PGP SIGNATURE-----