Description of Problem
An open redirect vulnerability has been identified in the Citrix License Server for Windows and the Citrix License Server VPX.
This vulnerability could potentially be used to facilitate a phishing or social engineering attack.
This vulnerability has been assigned the following CVE number:
- CVE-2017-5571: Open Redirect Vulnerability in lmadmin component of Flexera FlexNet Publisher up to and including version 11.14.1.
This vulnerability affects all versions of the Citrix License Server for Windows and License Server VPX up to and including version 11.14.0.1.
What Customers Should Do
This vulnerability can be addressed with a manual configuration change. Citrix has produced a Knowledge Center article that provides information on how to configure the License Server for Windows and License Server VPX to prevent this vulnerability. Citrix recommends that customers review this document and apply the manual configuration changes to affected License Server deployments.
This document can be found at the following address:
Acknowledgements
Citrix thanks Jan Rude (https://github.com/whoot) for working with us to protect Citrix customers.
What Citrix Is Doing
Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at http://support.citrix.com/.
Obtaining Support on This Issue
If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at https://www.citrix.com/support/open-a-support-case.html.
Reporting Security Vulnerabilities
Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For guidance on how to report security-related issues to Citrix, please see the following document: CTX081743 – Reporting Security Issues to Citrix
Changelog
Date | Change |
2nd February 2017 | Initial publishing |