Description of Problem
Security issues have been identified in customer-managed Citrix ShareFile storage zone controllers. These vulnerabilities, if exploited, would allow an unauthenticated attacker to compromise the storage zones controller potentially giving an attacker the ability to access ShareFile users’ documents and folders.
These issues have been given the following identifiers:
- CVE-2020-7473
- CVE-2020-8982
- CVE-2020-8983
Customer-managed storage zones created using the following versions of the storage zones controller are affected:
- ShareFile storage zones Controller 5.9.0
- ShareFile storage zones Controller 5.8.0
- ShareFile storage zones Controller 5.7.0
- ShareFile StorageZones Controller 5.6.0
- ShareFile StorageZones Controller 5.5.0
- All earlier versions of ShareFile StorageZones Controller
Storage zones created using the recently released versions of storage zones controllers listed below are not affected:
- Storage Zones Controller 5.10.0 and later 5.10 releases
- Storage Zones Controller 5.9.2 and later 5.9 releases
- Storage Zones Controller 5.8.2 and later 5.8 releases
- Storage Zones Controller 5.7.2 and later 5.7 releases
- ShareFile StorageZones Controller 5.6.2 and later 5.6 releases
- ShareFile StorageZones Controller 5.5.2 and later 5.5 releases
Storage zones created using a vulnerable version of the storage zones controller are at risk even if the storage zones controller has been subsequently updated.
What Customers Should Do
Customers with Citrix-managed storage zones do not need to take any action. Customers with customer-managed storage zones should ensure they are running on a supported version. In order to address the issue customers are strongly recommended to run the mitigation tool as soon as possible on the storage zone controllers managing each impacted storage zone by following the guidance in the following support article:
Acknowledgements
Citrix thanks Danske Bank Red-Team for working with us on CVE-2020-8982 and CVE-2020-8983 to protect Citrix customers. Citirix would also like to thank Daniel Jensen (@dozernz) for working with us to protect Citrix customers.
What Citrix Is Doing
Citrix is notifying customers and channel partners with customer-managed storage zone controllers about this potential security issue. This article is also available from the Citrix Knowledge Center at http://support.citrix.com/.
Obtaining Support on This Issue
If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at https://www.citrix.com/support/open-a-support-case.html.
Reporting Security Vulnerabilities
Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For details on our vulnerability response process and guidance on how to report security-related issues to Citrix, please visit the Citrix Trust Center at https://www.citrix.com/about/trust-center/vulnerability-process.html.
Changelog
Date | Change |
2020-05-05 | Initial publication |
2020-06-24 | Fixed versions updated |