-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2020.1598.2
    Citrix ShareFile storage zones Controller multiple security updates
                               25 June 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           CItrix ShareFile
Publisher:         Citrix
Operating System:  Windows
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Access Confidential Data -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-8983 CVE-2020-8982 CVE-2020-7473

Original Bulletin: 
   https://support.citrix.com/article/CTX269106

Revision History:  June 25 2020: Vendor released minor update
                   May   6 2020: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

Citrix ShareFile storage zones Controller multiple security updates

Reference: CTX269106

Category : Critical

Created  : 05 May 2020

Modified : 24 Jun 2020

Applicable Products

  o ShareFile

Description of Problem

Security issues have been identified in customer-managed Citrix ShareFile
storage zone controllers. These vulnerabilities, if exploited, would allow an
unauthenticated attacker to compromise the storage zones controller potentially
giving an attacker the ability to access ShareFile users' documents and
folders.

These issues have been given the following identifiers:

  o CVE-2020-7473
  o CVE-2020-8982
  o CVE-2020-8983

Customer-managed storage zones created using the following versions of the
storage zones controller are affected:

  o ShareFile storage zones Controller 5.9.0
  o ShareFile storage zones Controller 5.8.0
  o ShareFile storage zones Controller 5.7.0
  o ShareFile StorageZones Controller 5.6.0
  o ShareFile StorageZones Controller 5.5.0
  o All earlier versions of ShareFile StorageZones Controller

Storage zones created using the recently released versions of storage zones
controllers listed below are not affected:

  o Storage Zones Controller 5.10.0 and later 5.10 releases
  o Storage Zones Controller 5.9.2 and later 5.9 releases
  o Storage Zones Controller 5.8.2 and later 5.8 releases
  o Storage Zones Controller 5.7.2 and later 5.7 releases
  o ShareFile StorageZones Controller 5.6.2 and later 5.6 releases
  o ShareFile StorageZones Controller 5.5.2 and later 5.5 releases

Storage zones created using a vulnerable version of the storage zones
controller are at risk even if the storage zones controller has been
subsequently updated.

What Customers Should Do

Customers with Citrix-managed storage zones do not need to take any action. 
Customers with customer-managed storage zones should ensure they are running on
a supported version. In order to address the issue customers are strongly
recommended to run the mitigation tool as soon as possible on the storage zone
controllers managing each impacted storage zone by following the guidance in
the following support article:

https://support.citrix.com/article/CTX269341

Acknowledgements

Citrix thanks Danske Bank Red-Team for working with us on CVE-2020-8982 and
CVE-2020-8983 to protect Citrix customers. Citirix would also like to
thankDaniel Jensen for working with us to protect Citrix customers.

Changelog

+------------------------+----------------------------------------------------+
|Date                    |Change                                              |
+------------------------+----------------------------------------------------+
|2020-05-05              |Initial publication                                 |
+------------------------+----------------------------------------------------+
|2020-06-24              |Fixed versions updated                              |
+------------------------+----------------------------------------------------+

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXvPzv+NLKJtyKPYoAQij6w//duLqkD3nnC+yE7D2bAixrz1CxRkPIXMi
9Q33ipKg3CAXKo4U+keWCaicN7CTRZzLo5jWh+n9FS2SCCo3qMD2s5seZgmPFzWN
qpZ64T380T85piFNICyiC0N40fTfKEmxIEZVu4M/O6yWrdU1OsddSrj7b2akPd/y
Jcjt2qZHxugyF4QTActQ40I1PlGi6cELXXTBrrrVFJGdIkHX/y0DyPHR+nMQHDvL
hkwuZv4Sl0c4ov5L7NJiAVar2aioSYRvxJm0mHkLJki6lrzHyScYvsZGSbTDUOzL
KIphH83TCMXLeh6PUxqskSbrXh5LsN/c+ATGewJ7ECdOL7TuF2F2o/PCgteYXvW5
YsNodYotKmEKoTM5gPtryQJNdzj6c8VjRqHOa3nmtP1EVMGoEqiLtKY7BUEh+TCC
1BGb9Xi8ebCzAAGj4Fg2z5IbtVO8jWEKc0pSDD5pCbQD8FLMZLhOiDpiq4Y0i/2K
3Nx4YAFFh2eyT/TlxWhVjmo8AJ/qb+6HdsFxMEcWoRhqOV8DtsLrATbIc00nbDWj
vo5nAzH+xMyA3MHIzcooJLfZ8tV3Rb627TZ2seU0S9nptrHckz9+1V5YyUuuoxhE
q4+DHF7eSU63t7AQTskqhYhXnO2x6CgxcQ7ryRA26LCM2eQiPwdML9wwEFsuNmJB
ItEtvGB6W70=
=iwmb
-----END PGP SIGNATURE-----