[THIN] Re: Citrix Webinterface -heartbleed

• From: Greg Reese <gareese@xxxxxxxxx>
• To: "thin@xxxxxxxxxxxxx" <thin@xxxxxxxxxxxxx>
• Date: Sun, 8 Jun 2014 21:11:40 -0500

Look for an update regarding ssl soon. A new advisory will incorporate the 
recently discovered exploits and heartbleed together. 

I can tell you that in both instances, Jeremy is right on. Web interface as 
coded and provided by Citrix does not include or use vulnerable code related to 
heartbleed or open ssl.

But the underlying web host could and should be checked and mitigated if 
necessary.  

Greg



> On Jun 8, 2014, at 8:24 PM, Jeremy Saunders <jeremy@xxxxxxxxxxxxxxxxxxxx> 
> wrote:
> 
> That’s right Al. Web Interface itself is not vulnerable, but possibly the 
> underlying IIS instance. The security team just needs to check that as they 
> would with any other IIS instance.
>  
> Cheers,
> Jeremy
>  
> From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf 
> Of Alan Tropper
> Sent: Monday, 9 June 2014 9:17 AM
> To: thin@xxxxxxxxxxxxx
> Subject: [THIN] Citrix Webinterface -heartbleed
>  
> Hi All,
>  
> Our security team are concerned about heartbleed with the citrix webinterface 
> server, however Im not so sure there is a vulnerability there, after reading 
> the below I don’t think web interface is affected, can anyone out there 
> confirm?
>  
> Quote: 
> (http://support.citrix.com/article/CTX140876%20%3Chttp://support.citrix.com/article/CTX140876%3E)
>  
> “Citrix Web Interface: Web Interface makes use of the TLS functionality 
> provided by the underlying web server. Citrix customers are advised to verify 
> that any deployed web servers used to host Web Interface are not vulnerable 
> to these issues. Web Interface can also use a built-in TLS library to make 
> outgoing TLS connections, this library is not vulnerable to these CVEs”.
>  
> Thanks
>  
> Al
>  
> Alan Tropper
> Service Delivery & Support | INPEX
> Level 22 100 St Georges Tce | PERTH Western Australia 6000
> T + 61 8 6213 6777 | F + 61 8 6213 6455 | 
> Alan.Tropper@xxxxxxxxxxxx
>  
> The contents of this e-mail, including any attachments are the property of 
> INPEX, are intended for use by the ordinary user of the e-mail address to 
> which it was addressed and may also be privileged. If you are not the 
> addressee of this e-mail you may not copy, forward, disclose or otherwise use 
> it or any part of it in any form whatsoever. If you have received this e-mail 
> in error please e-mail the sender by replying to this message. Emails sent or 
> received may be monitored to ensure compliance with the law, regulation 
> and/or INPEX policies.

• Follow-Ups:
  • [THIN] Re: Citrix Webinterface -heartbleed
    • From: Dan Dill

• References:
  • [THIN] Citrix Webinterface -heartbleed
    • From: Alan Tropper
  • [THIN] Re: Citrix Webinterface -heartbleed
    • From: Jeremy Saunders

Other related posts:

• » [THIN] Citrix Webinterface -heartbleed- Alan Tropper
• » [THIN] Re: Citrix Webinterface -heartbleed- Jeremy Saunders
• » [THIN] Re: Citrix Webinterface -heartbleed - Greg Reese
• » [THIN] Re: Citrix Webinterface -heartbleed- Dan Dill
• » [THIN] Re: Citrix Webinterface -heartbleed- Jeremy Saunders

1. Home
2. thin
3. Archive
4. 06-2014

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---