Permanent fixes for CVE-2019-19781 – Vulnerability for Citrix ADC versions 11.1 and 12.0

Permanent fixes for CVE-2019-19781 - Vulnerability in Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliance

As previous mentioned in this post last week, Citrix now has the first permanent fixes for CVE-2019-19781 – Vulnerability for Citrix ADC versions 11.1 and 12.0.

Here are the important updates:

Permanent fixes for ADC versions 11.1 and 12.0 are available as downloads here and here.

  • These fixes also apply to Citrix ADC and Citrix Gateway Virtual Appliances (VPX) hosted on any of ESX, Hyper-V, KVM, XenServer, Azure, AWS, GCP or on a Citrix ADC Service Delivery Appliance (SDX). SVM on SDX does not need to be updated.
  • It is necessary to upgrade all Citrix ADC and Citrix Gateway 11.1 instances (MPX or VPX) to build 11.1.63.15 to install the security vulnerability fixes. It is necessary to upgrade all Citrix ADC and Citrix Gateway 12.0 instances (MPX or VPX) to build 12.0.63.13 to install the security vulnerability fixes.  .

Citrix has moved forward the availability of permanent fixes for other ADC versions and for SD-WAN WANOP from their previous target dates as follows:

  • ADC version 12.1, now January 24
  • ADC version 13 and ADC version 10.5, now January 24
  • SD-WAN WANOP fixes, now January 24
Citrix ADC and Citrix Gateway
VersionRefresh BuildRelease Date
11.111.1.63.15January 19, 2020
12.012.0.63.13January 19, 2020
12.112.1.55.xJanuary 24, 2020
10.510.5.70.xJanuary 24, 2020
13.013.0.47.xJanuary 24, 2020
Citrix SD-WAN WANOP
ReleaseCitrix ADC ReleaseRelease Date
10.2.611.1.51.615January 24, 2020
11.0.311.1.51.615January 24, 2020

According to Fermin J. Serna, Citrix’s CISO on Twitter:

12.1 build 50.28 information is being misinterpreted heavily. If you applied ALL mitigations steps even as they were described Dec 17th you should be good. Mitigation was never incomplete. Two options 1) upgrade 50.28 and apply partial mitigation OR 2) apply full mitigation

Citrix urges customers to immediately install these fixes. There are several important points to keep in mind in doing so. These fixes are for the indicated versions only, if you have multiple ADC versions in production, you must apply the correct version fix to each system.

If you have not already done so, you need to apply the previously supplied mitigations to ADC versions 12.1, 13, 10.5 and SD-WAN WANOP versions 10.2.6 and 11.0.3 until the fixes for those versions are available. Once complete, you can use the tool that Citrix has previously provided to ensure the mitigations have successfully been applied. While all the mitigations associated with CVE-2019-19781 are effective across all known scenarios, Citrix strongly encourage customers to apply the permanent fixes as soon as possible.

The permanent fixes being made available today are applicable to all supported subsets of those versions. Upgrade guides can be found on the download pages. While the updates are not difficult, Citrix do recommend you to review the instructions prior to installation. In addition, Citrix has staffed their support center with strong networking technical resources who are ready to support you on the installs if needed.

As always, Citrix remain deeply committed to the security of their solutions and to helping you manage CVE-2019-19781 and will continue to provide updates and support via our Support Knowledge Center. To receive updates automatically, visit: https://support.citrix.com/user/alerts.