Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.1598.2 Citrix ShareFile storage zones Controller multiple security updates 25 June 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: CItrix ShareFile Publisher: Citrix Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2020-8983 CVE-2020-8982 CVE-2020-7473 Original Bulletin: https://support.citrix.com/article/CTX269106 Revision History: June 25 2020: Vendor released minor update May 6 2020: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- Citrix ShareFile storage zones Controller multiple security updates Reference: CTX269106 Category : Critical Created : 05 May 2020 Modified : 24 Jun 2020 Applicable Products o ShareFile Description of Problem Security issues have been identified in customer-managed Citrix ShareFile storage zone controllers. These vulnerabilities, if exploited, would allow an unauthenticated attacker to compromise the storage zones controller potentially giving an attacker the ability to access ShareFile users' documents and folders. These issues have been given the following identifiers: o CVE-2020-7473 o CVE-2020-8982 o CVE-2020-8983 Customer-managed storage zones created using the following versions of the storage zones controller are affected: o ShareFile storage zones Controller 5.9.0 o ShareFile storage zones Controller 5.8.0 o ShareFile storage zones Controller 5.7.0 o ShareFile StorageZones Controller 5.6.0 o ShareFile StorageZones Controller 5.5.0 o All earlier versions of ShareFile StorageZones Controller Storage zones created using the recently released versions of storage zones controllers listed below are not affected: o Storage Zones Controller 5.10.0 and later 5.10 releases o Storage Zones Controller 5.9.2 and later 5.9 releases o Storage Zones Controller 5.8.2 and later 5.8 releases o Storage Zones Controller 5.7.2 and later 5.7 releases o ShareFile StorageZones Controller 5.6.2 and later 5.6 releases o ShareFile StorageZones Controller 5.5.2 and later 5.5 releases Storage zones created using a vulnerable version of the storage zones controller are at risk even if the storage zones controller has been subsequently updated. What Customers Should Do Customers with Citrix-managed storage zones do not need to take any action. Customers with customer-managed storage zones should ensure they are running on a supported version. In order to address the issue customers are strongly recommended to run the mitigation tool as soon as possible on the storage zone controllers managing each impacted storage zone by following the guidance in the following support article: https://support.citrix.com/article/CTX269341 Acknowledgements Citrix thanks Danske Bank Red-Team for working with us on CVE-2020-8982 and CVE-2020-8983 to protect Citrix customers. Citirix would also like to thankDaniel Jensen for working with us to protect Citrix customers. Changelog +------------------------+----------------------------------------------------+ |Date |Change | +------------------------+----------------------------------------------------+ |2020-05-05 |Initial publication | +------------------------+----------------------------------------------------+ |2020-06-24 |Fixed versions updated | +------------------------+----------------------------------------------------+ - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXvPzv+NLKJtyKPYoAQij6w//duLqkD3nnC+yE7D2bAixrz1CxRkPIXMi 9Q33ipKg3CAXKo4U+keWCaicN7CTRZzLo5jWh+n9FS2SCCo3qMD2s5seZgmPFzWN qpZ64T380T85piFNICyiC0N40fTfKEmxIEZVu4M/O6yWrdU1OsddSrj7b2akPd/y Jcjt2qZHxugyF4QTActQ40I1PlGi6cELXXTBrrrVFJGdIkHX/y0DyPHR+nMQHDvL hkwuZv4Sl0c4ov5L7NJiAVar2aioSYRvxJm0mHkLJki6lrzHyScYvsZGSbTDUOzL KIphH83TCMXLeh6PUxqskSbrXh5LsN/c+ATGewJ7ECdOL7TuF2F2o/PCgteYXvW5 YsNodYotKmEKoTM5gPtryQJNdzj6c8VjRqHOa3nmtP1EVMGoEqiLtKY7BUEh+TCC 1BGb9Xi8ebCzAAGj4Fg2z5IbtVO8jWEKc0pSDD5pCbQD8FLMZLhOiDpiq4Y0i/2K 3Nx4YAFFh2eyT/TlxWhVjmo8AJ/qb+6HdsFxMEcWoRhqOV8DtsLrATbIc00nbDWj vo5nAzH+xMyA3MHIzcooJLfZ8tV3Rb627TZ2seU0S9nptrHckz9+1V5YyUuuoxhE q4+DHF7eSU63t7AQTskqhYhXnO2x6CgxcQ7ryRA26LCM2eQiPwdML9wwEFsuNmJB ItEtvGB6W70= =iwmb -----END PGP SIGNATURE-----