NetScaler Cyber Threat Intelligence

NetScaler WAF Signatures Update v123 NetScaler has released a new version of its integrated Web App Firewall signatures to help customers mitigate several CVEs with variable CVSS. Two notable additions are: CVE-2024-21650 which is a vulnerability in XWiki Enterprise, an open-source wiki software that is used by many organizations to manage their knowledge base. This vulnerability has been assigned a CVSS score of 9.8, which is considered critical. The vulnerability allows an attacker to execute arbitrary code with elevated privileges, which could lead to a complete compromise of the system. This could result in the loss of sensitive data, unauthorized access to critical systems, and other serious consequences. It is recommended that users apply the latest security patches to their XWiki Enterprise installations to mitigate the risk of exploitation. CVE-2023-22527 which is a template injection vulnerability in Atlassian Confluence Data Center and Server. This vulnerability only affects out-of-date versions of these products. An unauthenticated attacker could exploit this vulnerability by sending a specially crafted request to a vulnerable Confluence Data Center or Server instance. Successful exploitation would allow an attacker to obtain remote code execution. This vulnerability carries a CVSS score of 10, the highest critical rating. It is recommended that users upgrade to the latest version of Confluence Data Center or Server to mitigate the risk of exploitation. Additionally, users should ensure that their Confluence instances are not exposed to the internet and that access to the application is restricted to authorized personnel only. Signatures included in v123: Signature rule CVE ID Description 998548 CVE-2024-21650 WEB-MISC xWiki Platform Prior Multiple Versions - Remote Code Execution Vulnerability (CVE-2024-21650) 998549 CVE-2023-6875, CVE-2023-7027 WEB-WORDPRESS POST SMTP Plugin Prior to 2.8.8 - Missing Authorization/XSS Vulnerability (CVE-2023-6875,CVE-2023-7027) 998550 CVE-2023-51409 WEB-WORDPRESS AI Engine Plugin Prior To 1.9.99 - Unauthenticated Arbitrary File Upload (CVE-2023-51409) 998551 CVE-2023-46805, CVE-2024-21887 WEB-MISC Ivanti Connect Secure Multiple Versions - Remote Code Execution vulnerability (CVE-2023-46805,CVE-2024-21887) 998552 CVE-2023-46805, CVE-2024-21887 WEB-MISC Ivanti Connect Secure Multiple Versions - Remote Code Execution vulnerability (CVE-2023-46805,CVE-2024-21887) 998553 CVE-2023-22527 WEB-MISC Atlassian Confluence Server and Data Center Multiple Versions - Remote Code Execution Vulnerability (CVE-2023-22527) NetScaler customers can quickly import the above signatures to help reduce risk and lower exposure associated with these vulnerabilities. Signatures are compatible with NetScaler (formerly Citrix ADC) software version 11.1, 12.0, 12.1, 13.0 and 13.1. NOTE: Software versions 11.1 and 12.0 are end of life, and you should consider upgrading for continued support. Learn more about the NetScaler software release lifecycle. If you are already using NetScaler Web App Firewall with the signature auto-update feature enabled, verify that your signature file version is 123 or later and then follow these steps. Search your signatures for <number> Select the results with ID Choose “Enable Rules” and click OK NetScaler WAF Best Practices NetScaler recommends that WAF users always download the latest signature version, enable signature auto-update, and subscribe to receive signature alert notifications. NetScaler will continue to monitor this dynamic situation and provide updates as new mitigations become available. Handling false positives If app availability is affected by false positives that result from the above mitigation policies, relaxations can be applied. NetScaler recommends the following modifications to the policy. Modifications to NetScaler Web App Firewall Policy: add policy patset exception_list # (Example: bind policy patset exception_list “/exception_url”) Prepend the existing WAF policy with: HTTP.REQ.URL.CONTAINS_ANY(“exception_list”).NOT # (Example : set appfw policy my_WAF_policy q^HTTP.REQ.URL.CONTAINS_ANY(“exception_list”).NOT && <existing rule>^ NOTE: Any endpoint covered by the exception_list may expose those assets to risks Additional Information NetScaler Web App Firewall benefits from a single code base across all its form-factors (physical, virtual, bare-metal, and containers). This signature update applies to all form factors and deployment models of NetScaler Web App Firewall. Learn more about NetScaler Web app Firewall, read our alert articles and bot signature articles to learn more about NetScaler WAF signatures, and find out how you can receive signature alert notifications. Please join the NetScaler Community today and engage with your peers to learn more about how they are protecting their businesses with NetScaler WAF.

CVE-2023-50164: Apache Struts - Files or Directories Accessible to External Parties - (v120 signature update published ) NetScaler CTRI Team Last Updated: 12/13/2023 Description: A security vulnerability, identified as CVE-2023-50164, has been discovered in Apache Struts, a popular, open-source framework for building Java web applications. The vulnerability affects the file upload functionality of versions prior to Apache Struts 2.5.33 and Struts 6.3.0.2. The problem stems from how the framework handles the HTTP parameters related to file uploading. An unauthenticated, remote attacker can manipulate file upload parameters to perform unauthorized path traversal. This could allow the attacker to upload malicious files on the server and potentially execute arbitrary code remotely. Please follow the guidelines as recommended by the vendor in their Security Bulletin NetScaler CTRI : NetScaler CTRI team is actively investigating this issue and will provide an update on the mitigation steps and a WAF Signature soon. Update: Signature v120 published References: https://nvd.nist.gov/vuln/detail/CVE-2023-50164

NetScaler WAF Signatures Update v120 NetScaler has released a new version of its integrated Web App Firewall signatures to help customers mitigate several CVEs with variable CVSS. The most critical is a security vulnerability, identified as CVE-2023-50164, which has been discovered in Apache Struts, a popular, open-source framework for building Java web applications. The vulnerability affects the file upload functionality of versions prior to Apache Struts 2.5.33 and Struts 6.3.0.2. The problem stems from how the framework handles the HTTP parameters related to file uploading. An unauthenticated, remote attacker can manipulate file upload parameters to perform unauthorized path traversal. This could allow the attacker to upload malicious files on the server and potentially execute arbitrary code remotely. Please follow the guidelines as recommended by the vendor in their Security Bulletin Signatures included in v120: Rule CVE ID Description 998559 CVE-2023-50164 WEB-STRUTS Apache Struts Prior to 6.3.0.2 - Path Traversal Vulnerability (CVE-2023-50164) 998560 CVE-2023-49105 WEB-MISC ownCloud Prior to 10.13.1 - Access Control Bypass Vulnerability (CVE-2023-4105) 998561 CVE-2023-49103 WEB-MISC ownCloud Multiple Versions - Information Disclosure Vulnerability (CVE-2023-49103) 998562 CVE-2023-47246 WEB-MISC SysAid Server On-Premise Prior to 23.3.36 - Path Traversal Vulnerability (CVE-2023-47246) 998563 CVE-2023-46509 WEB-MISC Contec SolarView Compact 6.0 and Prior - OS Command Injection Vulnerability (CVE-2023-46509) 998564 CVE-2023-44450 WEB-MISC NETGEAR ProSAFE Network Management System Prior to 1.7.0.31 - SQL Injection Vulnerability (CVE-2023-44450) 998565 CVE-2023-44449 WEB-MISC NETGEAR ProSAFE Network Management System Prior to 1.7.0.31 - SQL Injection Vulnerability (CVE-2023-44449) 998566 CVE-2023-44351, CVE-2023-44353 WEB-MISC Adobe ColdFusion - Deserialization of Untrusted Data Vulnerability (CVE-2023-44351, CVE-2023-44353) 998567 CVE-2023-43177 WEB-MISC CrushFTP Prior to 10.5.1 - Improper Control of Dynamically-Managed Code Resources Vulnerability (CVE-2023-43177) 998568 CVE-2023-40062 WEB-MISC SolarWinds Orion Prior to 2023.4.0 - Improper Input Validation Vulnerability Via TestAction (CVE-2023-40062) 998569 CVE-2023-40062 WEB-MISC SolarWinds Orion Prior to 2023.4.0 - Improper Input Validation Vulnerability Via /api/WriteToFile/ (CVE-2023-40062) 998570 CVE-2023-40055 WEB-MISC SolarWinds NCM Prior to 2023.4.1 - Directory Traversal Vulnerability Via SaveResultsToFile (CVE-2023-40055) 998571 CVE-2023-40054 WEB-MISC SolarWinds NCM Prior to 2023.4.1 - Directory Traversal Vulnerability Via txtConfigTemplate (CVE-2023-40054) 998572 CVE-2023-40054 WEB-MISC SolarWinds NCM Prior to 2023.4.1 - Directory Traversal Vulnerability Via txtPath (CVE-2023-40054) 998573 CVE-2023-39912 Zoho ADManager Plus Prior to 7203 - Directory traversal Vulnerability (CVE-2023-39912) 998574 CVE-2023-35150 WEB-MISC XWiki Multiple Versions - Arbitrary Code Injection Vulnerability (CVE-2023-35150) 998575 CVE-2023-32707 WEB-MISC Splunk Enterprise - Escalation of Privileges Vulnerability (CVE-2023-32707) 998576 CVE-2023-30943 WEB-MISC Moodle Prior to 4.1.3 - TinyMCE Loaders Stored Cross-Site Scripting Vulnerability Via loader (CVE-2023-30943) 998577 CVE-2023-30943 WEB-MISC Moodle Prior to 4.1.3 - TinyMCE Loaders Stored Cross-Site Scripting Vulnerability Via lang (CVE-2023-30943) 998578 CVE-2023-2943 WEB-MISC OpenEMR Prior to 7.0.1 - HTML Code Injection Vulnerability (CVE-2023-2943) NetScaler customers can quickly import the above signatures to help reduce risk and lower exposure associated with these vulnerabilities. Signatures are compatible with NetScaler (formerly Citrix ADC) software version 11.1, 12.0, 12.1, 13.0 and 13.1. NOTE: Software versions 11.1 and 12.0 are end of life, and you should consider upgrading for continued support. Learn more about the NetScaler software release lifecycle. If you are already using NetScaler Web App Firewall with the signature auto-update feature enabled, verify that your signature file version is 120 or later and then follow these steps. Search your signatures for <number>Select the results with ID Choose “Enable Rules” and click OK NetScaler WAF Best Practices NetScaler recommends that WAF users always download the latest signature version, enable signature auto-update, and subscribe to receive signature alert notifications. NetScaler will continue to monitor this dynamic situation and provide updates as new mitigations become available. Handling false positivesIf app availability is affected by false positives that result from the above mitigation policies, relaxations can be applied. NetScaler recommends the following modifications to the policy. Modifications to NetScaler Web App Firewall Policy: add policy patset exception_list # (Example: bind policy patset exception_list “/exception_url”) Prepend the existing WAF policy with: HTTP.REQ.URL.CONTAINS_ANY(“exception_list”).NOT # (Example : set appfw policy my_WAF_policy q^HTTP.REQ.URL.CONTAINS_ANY(“exception_list”).NOT && <existing rule>^ NOTE: Any endpoint covered by the exception_list may expose those assets to risks Additional InformationNetScaler Web App Firewall benefits from a single code base across all its form-factors (physical, virtual, bare-metal, and containers). This signature update applies to all form factors and deployment models of NetScaler Web App Firewall. Learn more about NetScaler Web app Firewall, read our alert articles and bot signature articles to learn more about NetScaler WAF signatures, and find out how you can receive signature alert notifications. Please join the NetScaler Community today and engage with your peers to learn more about how they are protecting their businesses with NetScaler WAF.

NetScaler WAF Signatures Update v118 NetScaler has released a new version of its integrated Web App Firewall signatures to help customers mitigate several CVEs with variable CVSS. The most critical is CVE-2023-22518, an improper authorisation vulnerability in the setup-restore endpoints of Atlassian Confluence Data Center and Server. This vulnerability allows an unauthenticated attacker to reset Confluence and create a Confluence instance administrator account. All versions of Confluence Data Center and Server are affected by this vulnerability. As part of Atlassian’s ongoing monitoring of this CVE, they observed publicly posted critical information about the vulnerability, increasing the risk of exploitation. There are still no reports of an active exploit, though customers must take immediate action to protect their instances. Signatures included in v118: rule CVE ID Description 998591 CVE-2023-39968 WEB-MISC Jupyter Server Prior to 2.7.2 - Open Redirect Vulnerability (CVE-2023-39968) 998592 CVE-2023-38743 WEB-MISC Zoho ManageEngine ADManager Plus Prior to 7200 - Remote Code Execution Vulnerability (CVE-2023-38743) 998593 CVE-2023-22518 WEB-MISC Confluence Data Center and Server Multiple Versions - Improper Authorization Vulnerability (CVE-2023-22518) 998594 CVE-2023-20890 WEB-MISC VMware Aria Operations for Networks - Arbitrary File Write Vulnerability (CVE-2023-20890) 998595 CVE-2023-20889 WEB-MISC VMware Aria Operations for Networks - Command Injection Vulnerability (CVE-2023-20889) 998596 CVE-2023-20273 WEB-MISC Cisco IOS XE Software - Command Injection Vulnerability (CVE-2023-20273) NetScaler customers can quickly import the above signatures to help reduce risk and lower exposure associated with these vulnerabilities. Signatures are compatible with NetScaler (formerly Citrix ADC) software version 11.1, 12.0, 12.1, 13.0 and 13.1. NOTE: Software versions 11.1 and 12.0 are end of life, and you should consider upgrading for continued support. Learn more about the NetScaler software release lifecycle. If you are already using NetScaler Web App Firewall with the signature auto-update feature enabled, verify that your signature file version is 118 or later and then follow these steps. Search your signatures for <number>Select the results with ID Choose “Enable Rules” and click OK NetScaler WAF Best Practices NetScaler recommends that WAF users always download the latest signature version, enable signature auto-update, and subscribe to receive signature alert notifications. NetScaler will continue to monitor this dynamic situation and provide updates as new mitigations become available. Handling false positivesIf app availability is affected by false positives that result from the above mitigation policies, relaxations can be applied. NetScaler recommends the following modifications to the policy. Modifications to NetScaler Web App Firewall Policy: add policy patset exception_list # (Example: bind policy patset exception_list “/exception_url”) Prepend the existing WAF policy with: HTTP.REQ.URL.CONTAINS_ANY(“exception_list”).NOT # (Example : set appfw policy my_WAF_policy q^HTTP.REQ.URL.CONTAINS_ANY(“exception_list”).NOT && <existing rule>^ NOTE: Any endpoint covered by the exception_list may expose those assets to risks Additional InformationNetScaler Web App Firewall benefits from a single code base across all its form-factors (physical, virtual, bare-metal, and containers). This signature update applies to all form factors and deployment models of NetScaler Web App Firewall. Learn more about NetScaler Web app Firewall, read our alert articles and bot signature articles to learn more about NetScaler WAF signatures, and find out how you can receive signature alert notifications. Please join the NetScaler Community today and engage with your peers to learn more about how they are protecting their businesses with NetScaler WAF.

NetScaler WAF Signatures Update v117(limited to CISCO XE Software) NetScaler has released a new version of its integrated Web App Firewall signatures to help customers mitigate the maximum severity CVSS 10 zero-day vulnerability in Cisco IOS XE (CVE-2023-20198) which has been exploited in the wild. Cisco has issued a security advisory regarding multiple vulnerabilities in the web UI feature of Cisco IOS XE Software. The most critical vulnerability, CVE-2023-20198, allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access. The attacker can then exploit another component of the web UI feature to elevate privilege to root and write the implant to the file system. Cisco has assigned a CVSS Score of 10.0 to CVE-2023-20198. The company is providing availability of Software Maintenance Upgrade (SMU) files and will update the advisory as additional releases post to Cisco Software Download Center. For steps to close the attack vector for these vulnerabilities, see the Recommendations section of Cisco's advisory. For protection until updating to latest version download and use v117 signature. Signatures included in v117: Signature rule CVE ID Description 998597 CVE-2023-20198 WEB-MISC Cisco IOS XE Software - Authentication Bypass Vulnerability (CVE-2023-20198) NetScaler customers can quickly import the above signatures to help reduce risk and lower exposure associated with these vulnerabilities. Signatures are compatible with NetScaler (formerly Citrix ADC) software version 11.1, 12.0, 12.1, 13.0 and 13.1. NOTE: Software versions 11.1 and 12.0 are end of life, and you should consider upgrading for continued support. Learn more about the NetScaler software release lifecycle. If you are already using NetScaler Web App Firewall with the signature auto-update feature enabled, verify that your signature file version is 117 or later and then follow these steps. Search your signatures for <number>Select the results with ID Choose “Enable Rules” and click OK NetScaler WAF Best Practices NetScaler recommends that WAF users always download the latest signature version, enable signature auto-update, and subscribe to receive signature alert notifications. NetScaler will continue to monitor this dynamic situation and provide updates as new mitigations become available. Handling false positivesIf app availability is affected by false positives that result from the above mitigation policies, relaxations can be applied. NetScaler recommends the following modifications to the policy. Modifications to NetScaler Web App Firewall Policy: add policy patset exception_list # (Example: bind policy patset exception_list “/exception_url”) Prepend the existing WAF policy with: HTTP.REQ.URL.CONTAINS_ANY(“exception_list”).NOT # (Example : set appfw policy my_WAF_policy q^HTTP.REQ.URL.CONTAINS_ANY(“exception_list”).NOT && <existing rule>^ NOTE: Any endpoint covered by the exception_list may expose those assets to risks Additional InformationNetScaler Web App Firewall benefits from a single code base across all its form-factors (physical, virtual, bare-metal, and containers). This signature update applies to all form factors and deployment models of NetScaler Web App Firewall. Learn more about NetScaler Web app Firewall, read our alert articles and bot signature articles to learn more about NetScaler WAF signatures, and find out how you can receive signature alert notifications. Please join the NetScaler Community today and engage with your peers to learn more about how they are protecting their businesses with NetScaler WAF.

NetScaler WAF Signatures Update v116(limited to SharePoint and Atlassian) NetScaler has released a new version of its integrated Web App Firewall signatures to help customers mitigate two vulnerabilities in two software with high penetration. The first vulnerability is related to a Microsoft SharePoint Server chain attack that exploits CVE-2023-24955, while the second vulnerability deals with a critical Atlassian Confluence Server vulnerability, namely CVE-2023-22525. CVE-2023-22525 is a critical vulnerability in Atlassian Confluence Server. The vulnerability allows an attacker to execute remote code on the affected system, which could lead to data theft or system compromise. The vulnerability affects Confluence Server versions 6.1.0 to 7.13.20, 7.19.8, and 8.2.0 1. Atlassian has released a patch for this vulnerability, and users are advised to update their systems as soon as possible. The vulnerability is caused by an input validation error when Confluence Server processes user-supplied input. An attacker can exploit this vulnerability by sending a specially crafted request to the affected server. Once the attacker has successfully exploited the vulnerability, they can execute arbitrary code on the affected system with the privileges of the Confluence Server process. To mitigate this vulnerability, Atlassian recommends that users upgrade their Confluence Server installations to version 7.13.21, 7.19.9, or 8.2.1. If upgrading is not possible, users can apply a workaround by disabling the “Widget Connector” feature in Confluence Server or enable our WAF signature. CVE-2023-24955 is a remote code execution vulnerability affecting Microsoft SharePoint Server. The vulnerability was assigned a CVSSv3 score of 7.2 and could allow an authenticated Site Owner to execute code on an affected SharePoint Server. The vulnerability was part of a chain attack that also involved another vulnerability, CVE-2023-29357, which is an elevation of privilege vulnerability in Microsoft SharePoint Server that was assigned a CVSSv3 score of 9.8 and rated critical (part of v112 WAF signature version). A proof-of-concept exploit chain has been released for these two vulnerabilities that can be exploited to achieve unauthenticated RCE against Microsoft SharePoint Server. Signatures included in v115: Signature rule CVE ID Description 998598 CVE-2023-24955 WEB-MISC Microsoft SharePoint Server - Remote Code Execution Vulnerability (CVE-2023-24955) 998599 CVE-2023-22515 WEB-MISC Atlassian Confluence Server - Broken Access Control Vulnerability via /setup/*.action (CVE-2023-22515) 998600 CVE-2023-22515 WEB-MISC Atlassian Confluence Server - Broken Access Control Vulnerability via /server-info.action (CVE-2023-22515) NetScaler customers can quickly import the above signatures to help reduce risk and lower exposure associated with these vulnerabilities. Signatures are compatible with NetScaler (formerly Citrix ADC) software version 11.1, 12.0, 12.1, 13.0 and 13.1. NOTE: Software versions 11.1 and 12.0 are end of life, and you should consider upgrading for continued support. Learn more about the NetScaler software release lifecycle. If you are already using NetScaler Web App Firewall with the signature auto-update feature enabled, verify that your signature file version is 115 or later and then follow these steps. Search your signatures for <number>Select the results with ID Choose “Enable Rules” and click OK NetScaler WAF Best Practices NetScaler recommends that WAF users always download the latest signature version, enable signature auto-update, and subscribe to receive signature alert notifications. NetScaler will continue to monitor this dynamic situation and provide updates as new mitigations become available. Handling false positivesIf app availability is affected by false positives that result from the above mitigation policies, relaxations can be applied. NetScaler recommends the following modifications to the policy. Modifications to NetScaler Web App Firewall Policy: add policy patset exception_list # (Example: bind policy patset exception_list “/exception_url”) Prepend the existing WAF policy with: HTTP.REQ.URL.CONTAINS_ANY(“exception_list”).NOT # (Example : set appfw policy my_WAF_policy q^HTTP.REQ.URL.CONTAINS_ANY(“exception_list”).NOT && <existing rule>^ NOTE: Any endpoint covered by the exception_list may expose those assets to risks Additional InformationNetScaler Web App Firewall benefits from a single code base across all its form-factors (physical, virtual, bare-metal, and containers). This signature update applies to all form factors and deployment models of NetScaler Web App Firewall. Learn more about NetScaler Web app Firewall, read our alert articles and bot signature articles to learn more about NetScaler WAF signatures, and find out how you can receive signature alert notifications. Please join the NetScaler Community today and engage with your peers to learn more about how they are protecting their businesses with NetScaler WAF.

(UPDATE) CVE-2023-40044 : Progress Software - Critical Pre-Auth Flaws in WS_FTP Server Product Published in v114 NetScaler CTRI Team Last Updated: 10/03/2023

NetScaler WAF Signatures Update v114 NetScaler has new signatures available for its integrated Web App Firewall to help customers mitigate several CVEs, including CVE-2023-40044 Progress Software Patches Multiple Vulnerabilities in WS_FTP Server and CVE-2023-42793: Critical RCE Vulnerability in TeamCity On-Premises. CVE-2023-40044 is a critical vulnerability in Progress WS_FTP Server, a popular file transfer software. It is a .NET deserialization vulnerability that could allow an unauthenticated attacker to execute remote commands on the underlying WS_FTP Server operating system. In the case of CVE-2023-40044, the vulnerability is in the Ad Hoc Transfer module of WS_FTP Server. An attacker could exploit this vulnerability by sending a specially crafted POST request to a vulnerable WS_FTP Server. Successful exploitation would grant the attacker the ability to achieve remote command execution on the underlying operating system of the WS_FTP Server. This vulnerability is particularly dangerous because it can be exploited without any authentication. This means that an attacker does not need to have any existing credentials on the WS_FTP Server to exploit it. CVE-2023-42793 is a critical remote code execution (RCE) vulnerability in JetBrains TeamCity On-Premises. It allows an unauthenticated attacker with HTTP(S) access to a TeamCity server to execute arbitrary code on the server. The vulnerability is caused by a flaw in the way TeamCity authenticates users. An attacker can exploit this flaw by sending a specially crafted HTTP(S) request to the TeamCity server. If the request is successful, the attacker will be able to execute arbitrary code on the server. This vulnerability is very dangerous because it can be exploited without any authentication. This means that an attacker does not need to have any existing credentials on the TeamCity server in order to exploit it. JetBrains has released a patch for CVE-2023-42793 for all affected versions of TeamCity On-Premises. Signatures included in v114: Signature rule CVE ID Description 998601 CVE-2023-42793 WEB-MISC JetBrains TeamCity Prior to 2023.05.4 - Authentication Bypass Vulnerability (CVE-2023-42793) 998602 CVE-2023-40931 WEB-MISC NagiosXI Prior to 5.11.2 - SQL Injection Vulnerability (CVE-2023-40931) 998603 CVE-2023-40044 WEB-MISC Progress WS_FTP Server - Deserialization of Untrusted Data Vulnerability (CVE-2023-40044) 998604 CVE-2023-39362 WEB-MISC Cacti Prior To 1.2.25 - OS Command Injection Vulnerability (CVE-2023-39362) 998605 CVE-2023-39361 WEB-MISC Cacti Prior to 1.2.25 - SQL Injection Vulnerability (CVE-2023-39361) 998606 CVE-2023-39359 WEB-MISC Cacti Prior to 1.2.25 - SQL Injection Vulnerability (CVE-2023-39359) 998607 CVE-2023-39358 WEB-MISC Cacti Prior to 1.2.25 - SQL Injection Vulnerability via reports_admin (CVE-2023-39358) 998608 CVE-2023-39358 WEB-MISC Cacti Prior to 1.2.25 - SQL Injection Vulnerability via reports_user (CVE-2023-39358) 998609 CVE-2023-35813 WEB-MISC Sitecore Through 10.3 - Remote Code Execution Vulnerability (CVE-2023-35813) 998610 CVE-2023-20890 WEB-MISC VMware Aria Operations for Networks - Path Traversal Vulnerability Via infra API (CVE-2023-20890) 998611 CVE-2023-20890 WEB-MISC VMware Aria Operations for Networks - Path Traversal Vulnerability Via data-sources API (CVE-2023-20890) 998612 CVE-2022-43719 WEB-MISC Apache Superset Multiple Versions - CSRF Vulnerability (CVE-2022-43719) 998613 CVE-2022-40881 WEB-MISC Contec SolarView Compact Prior to 7.21 - OS Command Injection Vulnerability (CVE-2022-40881) NetScaler customers can quickly import the above signatures to help reduce risk and lower exposure associated with these vulnerabilities. Signatures are compatible with NetScaler (formerly Citrix ADC) software version 11.1, 12.0, 12.1, 13.0 and 13.1. NOTE: Software versions 11.1 and 12.0 are end of life, and you should consider upgrading for continued support. Learn more about the NetScaler software release lifecycle. If you are already using NetScaler Web App Firewall with the signature auto-update feature enabled, verify that your signature file version is 114 or later and then follow these steps. Search your signatures for <number> Select the results with ID Choose “Enable Rules” and click OK NetScaler WAF Best Practices NetScaler recommends that WAF users always download the latest signature version, enable signature auto-update, and subscribe to receive signature alert notifications. NetScaler will continue to monitor this dynamic situation and provide updates as new mitigations become available. Handling false positives If app availability is affected by false positives that result from the above mitigation policies, relaxations can be applied. NetScaler recommends the following modifications to the policy. Modifications to NetScaler Web App Firewall Policy: add policy patset exception_list # (Example: bind policy patset exception_list “/exception_url”) Prepend the existing WAF policy with: HTTP.REQ.URL.CONTAINS_ANY(“exception_list”).NOT # (Example : set appfw policy my_WAF_policy q^HTTP.REQ.URL.CONTAINS_ANY(“exception_list”).NOT && <existing rule>^ NOTE: Any endpoint covered by the exception_list may expose those assets to risks Additional Information NetScaler Web App Firewall benefits from a single code base across all its form-factors (physical, virtual, bare-metal, and containers). This signature update applies to all form factors and deployment models of NetScaler Web App Firewall. Learn more about NetScaler Web app Firewall, read our alert articles and bot signature articles to learn more about NetScaler WAF signatures, and find out how you can receive signature alert notifications. Please join the NetScaler Community today and engage with your peers to learn more about how they are protecting their businesses with NetScaler WAF.

NetScaler WAF Signatures Update v113 NetScaler has new signatures available for its integrated Web App Firewall to help customers mitigate several CVEs, including three CISA published vulnerabilities, namely Ignite Realtime Openfire Path Traversal Vulnerability, Adobe Commerce and Magento Open Source Improper Input Validation Vulnerability and Ivanti Sentry Authentication Bypass Vulnerability. CVE-2023-32315 is a vulnerability found in the Openfire administrative console, a web-based application used for managing an XMPP server. This vulnerability allows an unauthenticated user to exploit the Openfire Setup Environment within an established Openfire configuration, accessing restricted pages reserved for administrative users. The vulnerability affects all versions of Openfire released since April 2015, starting with version 3.10.0. The Openfire community has patched this vulnerability in release 4.7.5 and 4.6.8, with further improvements planned for the upcoming 4.8.0 release. Users are advised to upgrade their Openfire installations to the latest patched versions. CVE-2022-24086 is a vulnerability that affects Adobe Commerce versions 2.4.3-p1 and earlier, as well as 2.3.7-p2 and earlier. It is an improper input validation vulnerability that can be exploited during the checkout process. This vulnerability allows arbitrary code execution without requiring user interaction. The severity of this vulnerability is rated as CRITICAL with a CVSS score of 9.8. Adobe has released a security bulletin with more information and instructions on how to apply updates. CVE-2023-38035 is an API authentication bypass vulnerability that affects Ivanti MobileIron Sentry versions 9.18.0 and below. This vulnerability allows unauthenticated attackers to access APIs configuring the Ivanti Sentry on the administrator portal/interface. The administrative interface is also known as the MobileIron Configuration Service (MICS) Admin Portal. By default, the MICS Admin Portal runs on port 84432. The severity of this vulnerability is rated as CRITICAL with a CVSS score of 9.8. Signatures included in v113: Signature rule CVE ID Description 998614 CVE-2023-38035 WEB-MISC Ivanti Sentry Up To 9.18.0 - Incorrect Authorization Vulnerability via /asproxy/services/ (CVE-2023-38035) 998615 CVE-2023-38035 WEB-MISC Ivanti Sentry Up To 9.18.0 - Incorrect Authorization Vulnerability via /mics/services/ (CVE-2023-38035) 998616 CVE-2023-36846 WEB-MISC Juniper JunOS SRX - Missing Authentication for Critical Function Vulnerability Via webauth_operation (CVE-2023-36846) 998617 CVE-2023-3486 WEB-MISC PaperCut NG Prior to 22.1.3 - Unrestricted File Upload Vulnerability (CVE-2023-3486) 998618 CVE-2023-34468, CVE-2023-40037 WEB-MISC Apache NiFi Multiple Versions - Command Injection Vulnerability (CVE-2023-34468, CVE-2023-40037) 998619 CVE-2023-33653 WEB-MISC Sitecore - Remote Code Execution Vulnerability (CVE-2023-33653) 998620 CVE-2023-33224, CVE-2023-23843 WEB-MISC SolarWinds Orion Platform Prior to 2023.3 - Remote Code Execution Vulnerability (CVE-2023-33224, CVE-2023-23843) 998621 CVE-2023-32566 WEB-MISC Ivanti Avalanche - SecureFilter Authentication Bypass Vulnerability (CVE-2023-32566) 998622 CVE-2023-32562 WEB-MISC Ivanti Avalanche Prior to 6.4.1 - Unrestricted File Upload Vulnerability (CVE-2023-32562) 998623 CVE-2023-32315 WEB-MISC Ignite Realtime Openfire - Path Traversal Vulnerability (CVE-2023-32315) 998624 CVE-2023-28128 WEB-MISC Ivanti Avalanche Prior to 6.4.0 - Unrestricted Upload Vulnerability (CVE-2023-28128) 998625 CVE-2023-27066 WEB-MISC Sitecore Up To 10.2 - Path Traversal Vulnerability (CVE-2023-27066) 998626 CVE-2022-23333 WEB-MISC Contec SolarView Compact Prior to 7.21 - OS Command Injection Vulnerability (CVE-2022-23333) 998627 CVE-2022-37044 WEB-MISC Zimbra Collaboration Suite Prior to 8.8.15 P33 - XSS Vulnerability via onload (CVE-2022-37044) 998628 CVE-2022-37044 WEB-MISC Zimbra Collaboration Suite Prior to 8.8.15 P33 - XSS Vulnerability via extra (CVE-2022-37044) 998629 CVE-2022-37044 WEB-MISC Zimbra Collaboration Suite Prior to 8.8.15 P33 - XSS Vulnerability via title (CVE-2022-37044) 998630 CVE-2022-24086 WEB-MISC Adobe Magento - Arbitrary Code Execution Vulnerability Via wishlist (CVE-2022-24086) 998631 CVE-2022-24086 WEB-MISC Adobe Magento - Arbitrary Code Execution Vulnerability via checkout (CVE-2022-24086) 17279 CVE-2005-1939 WEB-MISC Ipswitch WhatsUp Small Business directory traversal attempt NetScaler customers can quickly import the above signatures to help reduce risk and lower exposure associated with these vulnerabilities. Signatures are compatible with NetScaler (formerly Citrix ADC) software version 11.1, 12.0, 12.1, 13.0 and 13.1. NOTE: Software versions 11.1 and 12.0 are end of life, and you should consider upgrading for continued support. Learn more about the NetScaler software release lifecycle. If you are already using NetScaler Web App Firewall with the signature auto-update feature enabled, verify that your signature file version is 113 or later and then follow these steps. Search your signatures for <number>Select the results with ID Choose “Enable Rules” and click OK NetScaler WAF Best Practices NetScaler recommends that WAF users always download the latest signature version, enable signature auto-update, and subscribe to receive signature alert notifications. NetScaler will continue to monitor this dynamic situation and provide updates as new mitigations become available. Handling false positivesIf app availability is affected by false positives that result from the above mitigation policies, relaxations can be applied. NetScaler recommends the following modifications to the policy. Modifications to NetScaler Web App Firewall Policy: add policy patset exception_list # (Example: bind policy patset exception_list “/exception_url”) Prepend the existing WAF policy with: HTTP.REQ.URL.CONTAINS_ANY(“exception_list”).NOT # (Example : set appfw policy my_WAF_policy q^HTTP.REQ.URL.CONTAINS_ANY(“exception_list”).NOT && <existing rule>^ NOTE: Any endpoint covered by the exception_list may expose those assets to risks Additional InformationNetScaler Web App Firewall benefits from a single code base across all its form-factors (physical, virtual, bare-metal, and containers). This signature update applies to all form factors and deployment models of NetScaler Web App Firewall. Learn more about NetScaler Web app Firewall, read our alert articles and bot signature articles to learn more about NetScaler WAF signatures, and find out how you can receive signature alert notifications. Please join the NetScaler Community today and engage with your peers to learn more about how they are protecting their businesses with NetScaler WAF.

NetScaler WAF Signatures Update v112 NetScaler has new signatures available for its integrated Web App Firewall to help customers mitigate several CVEs, with two 9.8 (Critical) CVSS v3 among them, namely CVE-2023-29357 Microsoft SharePoint Server Elevation of Privilege Vulnerability and CVE-2023-32563 Ivanti Avalanche. CVE-2023-29357 is an elevation of privilege vulnerability in Microsoft SharePoint Server. This vulnerability allows authenticated attackers to escalate their privileges by exploiting certain misconfigurations in the affected Microsoft SharePoint Server versions. Microsoft has released a security update that resolves this vulnerability, along with other vulnerabilities such as a denial of service vulnerability and a spoofing vulnerability. The security update is available for SharePoint Server 2019 Language Pack and can be obtained through Microsoft Update, Microsoft Update Catalog, or Microsoft Download Center. Ivanti Avalanche is an enterprise mobile device management solution, and CVE-2023-32563 is a directory traversal flaw that has been identified in Ivanti Avalanche. This vulnerability could allow remote code execution and is rated as critical. Ivanti has released a security update that addresses this vulnerability, along with other vulnerabilities such as a stack-based buffer overflow vulnerability, multiple remote code execution vulnerabilities, and multiple authentication bypass vulnerabilities. The security update is available for Avalanche 6.4.1 and older versions and can be obtained through the Ivanti website. Signatures included in v112: Rule CVE ID Description 998632 CVE-2023-39526 WEB-MISC PrestaShop Prior to 8.0.5, 8.1.1 and 1.7.8.10 - Arbitrary File Write Vulnerability via OUTFILE (CVE-2023-39526) 998633 CVE-2023-39526 WEB-MISC PrestaShop Prior to 8.0.5, 8.1.1 and 1.7.8.10 - Arbitrary File Write Vulnerability via DUMPFILE (CVE-2023-39526) 998634 CVE-2023-39143 WEB-MISC PaperCut NG/MF Prior to 22.1.3 - Path Traversal Vulnerability in CustomReportExampleServlet (CVE-2023-39143) 998635 CVE-2023-37979 WEB-WORDPRESS Ninja Forms Contact Form Plugin Up to 3.6.25 - Cross-Site Scripting Vulnerability (CVE-2023-37979) 998636 CVE-2023-33652 WEB-MISC Sitecore - Remote Code Execution Vulnerability (CVE-2023-33652) 998637 CVE-2023-32563 WEB-MISC Ivanti Avalanche Prior to 6.4.1 - Arbitrary File Upload Vulnerability (CVE-2023-32563) 998638 CVE-2023-29357 WEB-MISC Microsoft SharePoint Server - Elevation of Privilege Vulnerability via access_token/proof token (CVE-2023-29357) 998639 CVE-2023-29357 WEB-MISC Microsoft SharePoint Server - Elevation of Privilege Vulnerability via Authorization Header (CVE-2023-29357) 998640 CVE-2023-22480 WEB-MISC KubeOperator Prior to 3.16.4 - Improper Authorization Vulnerability (CVE-2023-22480) 998664 CVE-2023-26360 WEB-MISC Adobe ColdFusion - Deserialization of Untrusted Data Vulnerability (CVE-2023-26359, CVE-2023-26360) NetScaler customers can quickly import the above signatures to help reduce risk and lower exposure associated with these vulnerabilities. Signatures are compatible with NetScaler (formerly Citrix ADC) software version 11.1, 12.0, 12.1, 13.0 and 13.1. NOTE: Software versions 11.1 and 12.0 are end of life, and you should consider upgrading for continued support. Learn more about the NetScaler software release lifecycle. If you are already using NetScaler Web App Firewall with the signature auto-update feature enabled, verify that your signature file version is 112 or later and then follow these steps. Search your signatures for <number>Select the results with ID Choose “Enable Rules” and click OK NetScaler WAF Best Practices NetScaler recommends that WAF users always download the latest signature version, enable signature auto-update, and subscribe to receive signature alert notifications. NetScaler will continue to monitor this dynamic situation and provide updates as new mitigations become available. Handling false positivesIf app availability is affected by false positives that result from the above mitigation policies, relaxations can be applied. NetScaler recommends the following modifications to the policy. Modifications to NetScaler Web App Firewall Policy: add policy patset exception_list # (Example: bind policy patset exception_list “/exception_url”) Prepend the existing WAF policy with: HTTP.REQ.URL.CONTAINS_ANY(“exception_list”).NOT # (Example : set appfw policy my_WAF_policy q^HTTP.REQ.URL.CONTAINS_ANY(“exception_list”).NOT && <existing rule>^ NOTE: Any endpoint covered by the exception_list may expose those assets to risks Additional InformationNetScaler Web App Firewall benefits from a single code base across all its form-factors (physical, virtual, bare-metal, and containers). This signature update applies to all form factors and deployment models of NetScaler Web App Firewall. Learn more about NetScaler Web app Firewall, read our alert articles and bot signature articles to learn more about NetScaler WAF signatures, and find out how you can receive signature alert notifications. Please join the NetScaler Community today and engage with your peers to learn more about how they are protecting their businesses with NetScaler WAF.

CVE-2023-32560: Ivanti - Unauthenticated Stack-based Buffer Overflows (Not applicable for WAF signature) NetScaler CTRI Team Last Updated: 08/16/2023

NetScaler WAF mitigates risk from Zimbra XSS vulnerability NetScaler has new signatures available for its integrated Web App Firewall to help customers mitigate the recent critical cross site scripting vulnerability in Zimbra Collaboration Suite (ZCS) v.8.8.15, Zimbra Classic Web Client version 8 before 8.8.15 Patch 41 and Zimbra Collaboration ZCS v.8.8.15 and v.9.0 . The new signatures protect customers from the recent CVE-2023-34192, CVE-2023-29382, CVE-2023-37580 vulnerabilities that allow XSS and arbitrary code execution. The aforementioned vulnerabilities are classed as critical. Customers should apply the latest NetScaler WAF signature file to help mitigate exploitation of this vulnerability in their environments.You can download the signatures and apply them immediately. Mitigations:CVE-2023-34192The NIST database has details about the vulnerability: Cross Site Scripting vulnerability in Zimbra ZCS v.8.8.15 allows a remote authenticated attacker to execute arbitrary code via a crafted script to the /h/autoSaveDraft function. CVE-2023-29382The NIST database has details about the vulnerability: An issue in Zimbra Collaboration ZCS v.8.8.15 and v.9.0 allows an attacker to execute arbitrary code via the sfdc_preauth.jsp component. CVE-2023-37580The NIST database has details about the vulnerability: Zimbra Collaboration (ZCS) 8 before 8.8.15 Patch 41 allows XSS in the Zimbra Classic Web Client. The vendor (Zimbra) recommends that users of Zimbra Collaboration Suite Version 8.8.15 immediately adhere to their published mitigation measures and apply the appropriate patch to the software in order to prevent exploitation of these vulnerabilities. NetScaler customers can quickly implement the following recommendations to help reduce risk and lower exposure associated with this vulnerability. If you are using any of the affected MOVEit Transfer versions, NetScaler strongly recommends that you download the version 111 or later of the signature file and apply it to your NetScaler Web App Firewall deployments as an additional layer of protection for your applications. Signatures are compatible with NetScaler (formerly Citrix ADC) software version 11.1, 12.0, 12.1, 13.0 and 13.1. NOTE: software versions 11.1 and 12.0 are end of life and you should consider upgrading for continued support. Learn more about the NetScaler software release lifecycle. Signature rule CVE ID Description 998641 CVE-2023-37580 WEB-MISC Zimbra Collaboration Suite Multiple Versions - XSS Vulnerability (CVE-2023-37580) 998644 CVE-2023-34192 WEB-MISC Zimbra Collaboration Suite Multiple Versions - XSS Vulnerability (CVE-2023-34192) 998645 CVE-2023-29282 WEB-MISC Zimbra Collaboration Suite Multiple Versions - RCE Via sfdc_preauth.jsp (CVE-2023-29382) If you are already using NetScaler Web App Firewall with the signature auto-update feature enabled, verify that your signature file version is 111 or later and then follow these steps. Search your signatures for CVE-2023-37580, CVE-2023-34192, CVE-2023-29382 LogStringSelect the results with ID Choose “Enable Rules” and click OK NetScaler WAF Best Practices NetScaler recommends that WAF users always download the latest signature version, enable signature auto-update, and subscribe to receive signature alert notifications. NetScaler will continue to monitor this dynamic situation and provide updates as new mitigations become available. Handling false positivesIf app availability is affected by false positives that result from the above mitigation policies, relaxations can be applied. NetScaler recommends the following modifications to the policy. Modifications to NetScaler Web App Firewall Policy: add policy patset exception_list # (Example: bind policy patset exception_list “/exception_url”) Prepend the existing WAF policy with: HTTP.REQ.URL.CONTAINS_ANY(“exception_list”).NOT # (Example : set appfw policy my_WAF_policy q^HTTP.REQ.URL.CONTAINS_ANY(“exception_list”).NOT && <existing rule>^ NOTE: Any endpoint covered by the exception_list may expose those assets to risks from CVE-2023-37580, CVE-2023-34192, CVE-2023-29382. Additional InformationNetScaler Web App Firewall benefits from a single code base across all its form-factors (physical, virtual, bare-metal, and containers). This signature update applies to all form factors and deployment models of NetScaler Web App Firewall. Learn more about NetScaler Web app Firewall, read our alert articles and bot signature articles to learn more about NetScaler WAF signatures, and find out how you can receive signature alert notifications. Please join the NetScaler Community today and engage with your peers to learn more about how they are protecting their businesses with NetScaler WAF.

NetScaler WAF mitigates risk from Ivanti Remote Unauthenticated API access vulnerabilities NetScaler has new signatures available for its integrated Web App Firewall to help customers mitigate the vulnerabilities related to Ivanti Endpoint Manager Mobile (Core) affecting versions 11.2 and prior. The new signatures protect customers from the recent CVE-2023-35078 and CVE-2023-35082 vulnerability found in versions of Ivanti Endpoint Manager Mobile (Core) that allows unauthorized access to users’ personally identifiable information and limited changes to the server. The vulnerability (CVE-2023-35078) is classed as critical. Customers should apply the latest NetScaler WAF signature file to help mitigate exploitation of this vulnerability in their environments.You can download the signatures and apply them immediately. Mitigating CVE-2023-35078The NIST database has details about the vulnerability: Ivanti Endpoint Manager Mobile (EPMM), formerly MobileIron Core, through 11.10 allows remote attackers to obtain PII, add an administrative account, and change the configuration because of an authentication bypass, as exploited in the wild in July 2023. A patch is available. Ivanti Endpoint Manager Mobile (EPMM), formerly known as MobileIron Core, recommends that customers refer to their published remediation measures NetScaler customers can quickly implement the following recommendations to help reduce risk and lower exposure associated with this vulnerability. If you are using any of the affected Ivanti Endpoint Manager Mobile versions, NetScaler strongly recommends that you download the version 111 or later of the signature file and apply it to your NetScaler Web App Firewall deployments as an additional layer of protection for your applications. Signatures are compatible with NetScaler (formerly Citrix ADC) software version 11.1, 12.0, 12.1, 13.0 and 13.1. NOTE: software versions 11.1 and 12.0 are end of life and you should consider upgrading for continued support. Learn more about the NetScaler software release lifecycle. Signature rule CVE ID Description 998642 CVE-2023-35082 WEB-MISC MobileIron Core (Ivanti EPMM) prior to 11.2 - Authentication Bypass (CVE-2023-35082) 998643 CVE-2023-35078 WEB-MISC Ivanti EndPoint Manager Mobile - Authentication Bypass (CVE-2023-35078) If you are already using NetScaler Web App Firewall with the signature auto-update feature enabled, verify that your signature file version is 111 or later and then follow these steps. Search your signatures for CVE-2023-35078, CVE-2023-35082 LogStringSelect the results with ID Choose “Enable Rules” and click OK NetScaler WAF Best Practices NetScaler recommends that WAF users always download the latest signature version, enable signature auto-update, and subscribe to receive signature alert notifications. NetScaler will continue to monitor this dynamic situation and provide updates as new mitigations become available. Handling false positivesIf app availability is affected by false positives that result from the above mitigation policies, relaxations can be applied. NetScaler recommends the following modifications to the policy. Modifications to NetScaler Web App Firewall Policy: add policy patset exception_list # (Example: bind policy patset exception_list “/exception_url”) Prepend the existing WAF policy with: HTTP.REQ.URL.CONTAINS_ANY(“exception_list”).NOT # (Example : set appfw policy my_WAF_policy q^HTTP.REQ.URL.CONTAINS_ANY(“exception_list”).NOT && <existing rule>^ NOTE: Any endpoint covered by the exception_list may expose those assets to risks from CVE-2023-35078, CVE-2023-35082. Additional InformationNetScaler Web App Firewall benefits from a single code base across all its form-factors (physical, virtual, bare-metal, and containers). This signature update applies to all form factors and deployment models of NetScaler Web App Firewall. Learn more about NetScaler Web app Firewall, read our alert articles and bot signature articles to learn more about NetScaler WAF signatures, and find out how you can receive signature alert notifications. Please join the NetScaler Community today and engage with your peers to learn more about how they are protecting their businesses with NetScaler WAF.

NetScaler’s CTRI Team on Zimbra and Ivanti vulnerabilities (Update #2 - Signatures published) NetScaler’s CTRI Team is aware of the below recent vulnerabilities shared by CISA: Ivanti Endpoint Manager Mobile (EPMM) and more specifically CVE-2023-35081 and CVE-2023-35078 Zimbra Collaboration (ZCS) with CVE-2023-34192, CVE-2023-29382 and CVE-2023-37580 Please find follow the links for more details on Zimbra and Ivanti CVEs and signatures

NetScaler Web App Firewall - New WAF signatures available NetScaler has integrated 43 new signatures into its Web App Firewall to help customers mitigate moderate and high CVSS vulnerabilities. The most notable CVEs in WAF Signatures version 110 are: CVE Description CVSS CVE-2023-29300 CVE-2023-38203 CVE-2023-38204 Adobe ColdFusion - Deserialization of Untrusted Data Vulnerability 9.8 CVE-2023-29298 CVE-2023-38205 Adobe ColdFusion - Access Control Bypass Vulnerability 7.5 CVE-2022-29303 Contec SolarView Compact < 7.21 - OS Command Injection Vulnerability 9.8 CVE-2023-33157 Microsoft SharePoint Remote Code Execution Vulnerability 8.8 Adobe ColdFusion is a popular server-side scripting language that has recently been found to have a critical vulnerability. This vulnerability, tracked as CVE-2023-29300, allows remote attackers to execute arbitrary code. The vulnerability affects multiple versions of ColdFusion, including 2018, 2021, and 2023. Contec SolarView Series is affected by an unauthenticated and remote command injection vulnerability tracked as CVE-2022-29303. This poses a significant threat to organizations relying on these ICS devices. The impact of this vulnerability extends far beyond the initially reported subset of affected systems. Less than one-third of the internet-facing SolarView installations have applied the necessary patches, exposing many systems to exploitation. Microsoft SharePoint Server is affected by CVE-2023-33157 which is a remote code execution vulnerability1. The vulnerability has a base score of 8.8.. Microsoft has released a security update for SharePoint Server 2019 to address this vulnerability. Mitigating vulnerabilitiesIf you are using any of the affected products, make sure you download WAF Signatures version 110 and apply it to your NetScaler Web App Firewall deployments as an additional layer of protection for your applications. Signatures are compatible with NetScaler (formerly Citrix ADC) software version 11.1, 12.0, 12.1, 13.0 and 13.1. NOTE: software versions 11.1 and 12.0 are end of life and you should consider upgrading for continued support. Learn more about the NetScaler software release lifecycle. NetScaler WAF Best Practices NetScaler recommends that WAF users always download the latest signature version, enable signature auto-update, and subscribe to receive signature alert notifications. Netscaler will continue to monitor this dynamic situation and provide updates as new mitigations become available. Handling false positivesIf app availability is affected by false positives that result from the above mitigation policies, relaxations can be applied. NetScaler recommends the following modifications to the policy. Modifications to NetScaler Web App Firewall Policy: add policy patset exception_list # (Example: bind policy patset exception_list “/exception_url”) Prepend the existing WAF policy with: HTTP.REQ.URL.CONTAINS_ANY(“exception_list”).NOT # (Example : set appfw policy my_WAF_policy q^HTTP.REQ.URL.CONTAINS_ANY(“exception_list”).NOT && <existing rule>^ NOTE: Any endpoint covered by the exception_list may expose those assets to risks from CVE-2023-34362. Additional InformationNetscaler Web App Firewall benefits from a single code base across all its form-factors (physical, virtual, bare-metal, and containers). This signature update applies to all form factors and deployment models of Netscaler Web App Firewall.