Jump to content
Welcome to our new Citrix community!
  • NetScaler WAF Signatures Update v116

    NetScaler Cyber Threat Intelligence
    • Validation Status: Validated
      Has Video?: No

    NetScaler WAF Signatures Update v116

    (limited to SharePoint and Atlassian)


    NetScaler has released a new version of its integrated Web App Firewall signatures to help customers mitigate two vulnerabilities in two software with high penetration. The first vulnerability is related to a Microsoft SharePoint Server chain attack that exploits CVE-2023-24955, while the second vulnerability deals with a critical Atlassian Confluence Server vulnerability, namely CVE-2023-22525. 

    CVE-2023-22525 is a critical vulnerability in Atlassian Confluence Server. The vulnerability allows an attacker to execute remote code on the affected system, which could lead to data theft or system compromise. The vulnerability affects Confluence Server versions 6.1.0 to 7.13.20, 7.19.8, and 8.2.0 1. Atlassian has released a patch for this vulnerability, and users are advised to update their systems as soon as possible. The vulnerability is caused by an input validation error when Confluence Server processes user-supplied input. An attacker can exploit this vulnerability by sending a specially crafted request to the affected server. Once the attacker has successfully exploited the vulnerability, they can execute arbitrary code on the affected system with the privileges of the Confluence Server process. To mitigate this vulnerability, Atlassian recommends that users upgrade their Confluence Server installations to version 7.13.21, 7.19.9, or 8.2.1. If upgrading is not possible, users can apply a workaround by disabling the “Widget Connector” feature in Confluence Server or enable our WAF signature.

    CVE-2023-24955 is a remote code execution vulnerability affecting Microsoft SharePoint Server. The vulnerability was assigned a CVSSv3 score of 7.2 and could allow an authenticated Site Owner to execute code on an affected SharePoint Server. The vulnerability was part of a chain attack that also involved another vulnerability, CVE-2023-29357, which is an elevation of privilege vulnerability in Microsoft SharePoint Server that was assigned a CVSSv3 score of 9.8 and rated critical (part of v112 WAF signature version). A proof-of-concept exploit chain has been released for these two vulnerabilities that can be exploited to achieve unauthenticated RCE against Microsoft SharePoint Server.

     Signatures included in v115:

    Signature rule

    CVE ID




    WEB-MISC Microsoft SharePoint Server - Remote Code Execution Vulnerability (CVE-2023-24955)



    WEB-MISC Atlassian Confluence Server - Broken Access Control Vulnerability via /setup/*.action (CVE-2023-22515)



    WEB-MISC Atlassian Confluence Server - Broken Access Control Vulnerability via /server-info.action (CVE-2023-22515)


    NetScaler customers can quickly import the above signatures to help reduce risk and lower exposure associated with these vulnerabilities. Signatures are compatible with NetScaler (formerly Citrix ADC) software version 11.1, 12.0, 12.1, 13.0 and 13.1. NOTE: Software versions 11.1 and 12.0 are end of life, and you should consider upgrading for continued support. Learn more about the NetScaler software release lifecycle.


    If you are already using NetScaler Web App Firewall with the signature auto-update feature enabled, verify that your signature file version is 115 or later and then follow these steps.

    1. Search your signatures for <number>
    2. Select the results with ID 
    3. Choose “Enable Rules” and click OK


    NetScaler WAF Best Practices

    NetScaler recommends that WAF users always download the latest signature version, enable signature auto-update, and subscribe to receive signature alert notifications. NetScaler will continue to monitor this dynamic situation and provide updates as new mitigations become available.

    Handling false positives

    If app availability is affected by false positives that result from the above mitigation policies, relaxations can be applied. NetScaler recommends the following modifications to the policy.


    Modifications to NetScaler Web App Firewall Policy:

    add policy patset exception_list

    # (Example: bind policy patset exception_list “/exception_url”) 

    Prepend the existing WAF policy with:


    # (Example :  set appfw policy my_WAF_policy q^HTTP.REQ.URL.CONTAINS_ANY(“exception_list”).NOT && <existing rule>^

    NOTE: Any endpoint covered by the exception_list may expose those assets to risks 

    Additional Information

    NetScaler Web App Firewall benefits from a single code base across all its form-factors (physical, virtual, bare-metal, and containers). This signature update applies to all form factors and deployment models of NetScaler Web App Firewall.

    Learn more about NetScaler Web app Firewall, read our alert articles and bot signature articles to learn more about NetScaler WAF signatures, and find out how you can receive signature alert notifications.

    Please join the NetScaler Community today and engage with your peers to learn more about how they are protecting their businesses with NetScaler WAF. 






    User Feedback

    Recommended Comments

    There are no comments to display.

    Create an account or sign in to comment

    You need to be a member in order to leave a comment

    Create an account

    Sign up for a new account in our community. It's easy!

    Register a new account

    Sign in

    Already have an account? Sign in here.

    Sign In Now

  • Create New...