Jump to content
Welcome to our new Citrix community!
  • 0

Vulnerabilities detected on XENSERVER 6.2 and xenserver 7.2


Rakesh Pai1709161481

Question

Hello Team, we have received HIGH vulnerabilities for CITRIX XENSERVER 6.2 /7.2. Please review and help us to mitigate the same.

And let us know if these are actually vulnerable for XENSERVERs. As per the CVE details, we could not find any solution from Citrix for the same and all solutions were for Linux boxes.

Please guide us with any fixes if required for our environment. Below are the vulnerability details detected 

 

Apache httpd Server ap_get_basic_auth_pw() Authentication Bypass Vulnerability (CVE-2017-3167)
Apache HTTP Server mod_mime Buffer Overread ( CVE-2017-7679)
OpenSSH Multiple Vulnerabilities (CVE-2015-5600 CVE-2015-6563)
OpenSSH 7.4 Not Installed Multiple Vulnerabilities(CVE- 2016-10009, CVE-2016-10010)

Link to comment

7 answers to this question

Recommended Posts

  • 0

Citrix rolls most into the updates. 6.2 is no longer supported. 7.2 is part of the new release cycle

and needs upgraded to 8.0. Citrix will release hotfixes for 8.0 and 7.1 LTSR at present. They may

release criticals for other versions, but they do that at their discretion. I wouldn't expect them

to release anymore hotfixes for 6.2 or 7.2.

 

--Alan--

Link to comment
  • 0
On 12/11/2019 at 7:17 PM, Alan Lantz said:

Citrix rolls most into the updates. 6.2 is no longer supported. 7.2 is part of the new release cycle

and needs upgraded to 8.0. Citrix will release hotfixes for 8.0 and 7.1 LTSR at present. They may

release criticals for other versions, but they do that at their discretion. I wouldn't expect them

to release anymore hotfixes for 6.2 or 7.2.

 

--Alan--

Thanks Alan, for your response. Is there any forum or Citrix article where we can validate if the below listed vulnerabilities

are applicable to XENSERVERs?

Apache httpd Server ap_get_basic_auth_pw() Authentication Bypass Vulnerability (CVE-2017-3167)
Apache HTTP Server mod_mime Buffer Overread ( CVE-2017-7679)
OpenSSH Multiple Vulnerabilities (CVE-2015-5600 CVE-2015-6563)
OpenSSH 7.4 Not Installed Multiple Vulnerabilities(CVE- 2016-10009, CVE-2016-10010)

 

this would help us with planning a patch or an update to mitigate the same

Link to comment
  • 0
On 12/12/2019 at 8:57 AM, Tobias Kreidl said:

For critical security updates, there will sometimes be exceptions made even for officially no-longer-supported releases. That's really good, in this case.

 

-=Tobias

Thanks Tobias, we need help in validating whether the listed are really applicable to XENSERVERS.

 

Apache httpd Server ap_get_basic_auth_pw() Authentication Bypass Vulnerability (CVE-2017-3167)
Apache HTTP Server mod_mime Buffer Overread ( CVE-2017-7679)
OpenSSH Multiple Vulnerabilities (CVE-2015-5600 CVE-2015-6563)
OpenSSH 7.4 Not Installed Multiple Vulnerabilities(CVE- 2016-10009, CVE-2016-10010) 

Link to comment
  • 0
 
 
 
 
Quote

Apache httpd Server ap_get_basic_auth_pw() Authentication Bypass Vulnerability (CVE-2017-3167)
Apache HTTP Server mod_mime Buffer Overread ( CVE-2017-7679)

 

Both of the above are Apache/httpd vulnerabilities - XenServer does not use Apache , hence my take is It should not be affected.

 

Quote

OpenSSH Multiple Vulnerabilities (CVE-2015-5600 CVE-2015-6563)

CVE-2015-6563 is only valid in environments with multiple distinct users, which is not the case for Dom0.

 

Quote

OpenSSH 7.4 Not Installed Multiple Vulnerabilities(CVE- 2016-10009, CVE-2016-10010)

XenServer 8.0 uses openssh-7.4p1-16.el7.x86_64 

 

So your best bet is to Upgrade to the latest. 

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...