Description of Problem
A weakness has been identified in Citrix XenApp and XenDesktop. While this issue is not directly exploitable, it could potentially weaken an existing security mitigation, resulting in a loss of defence in depth.
This weakness affects the following Citrix products:
- Citrix XenDesktop up to and including version 7.8
- Citrix XenApp 7.x up to and including version 7.8
All versions of Citrix XenApp 6.x up to and including version 6.5 with HRP 06 installed
This weakness has been assigned the following CVE number:
- CVE-2016-6493: Memory Permission Weakness in Citrix XenApp and XenDesktop
What Customers Should Do
This weakness has been addressed in the following Citrix products:
- Citrix XenApp and XenDesktop 7.9 and later
- Citrix XenApp and XenDesktop 7.6 LTSR CU2 and later
- Citrix XenApp 6.5 HRP07 and later
Citrix recommends that customers upgrade to these versions. These updates can be obtained from the following location:
Citrix XenApp & XenDesktop: https://www.citrix.com/downloads/xenapp-and-xendesktop/
Acknowledgements
Citrix thanks Udi Yavo, CTO, enSilo (http://www.ensilo.com) for working with us to protect Citrix customers.
What Citrix Is Doing
Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at http://support.citrix.com/.
Obtaining Support on This Issue
If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at https://www.citrix.com/support/open-a-support-case.html.
Reporting Security Vulnerabilities
Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For guidance on how to report security-related issues to Citrix, please see the following document: CTX081743 – Reporting Security Issues to Citrix
Changelog
Date | Change |
---|---|
August 3rd 2016 | Initial bulletin publishing |
August 4th 2016 | Update to Applicable Products |
October 5th 2016 | Update to What Customers Should Do |
February 13th 2017 | Update to What Customers Should Do |