[THIN] Re: Citrix Webinterface -heartbleed

• From: Dan Dill <Dan.Dill@xxxxxxxxxxx>
• To: thin@xxxxxxxxxxxxx
• Date: Sun, 8 Jun 2014 22:56:42 -0700

Believe MS is unaffected as they don't use openSSL, they roll their own 
code for that functionality which was not affected.

But of course do your own checking :)


Dan




From:   Greg Reese <gareese@xxxxxxxxx>
To:     "thin@xxxxxxxxxxxxx" <thin@xxxxxxxxxxxxx>, 
Date:   06/08/2014 07:12 PM
Subject:        [THIN] Re: Citrix Webinterface -heartbleed
Sent by:        thin-bounce@xxxxxxxxxxxxx



Look for an update regarding ssl soon. A new advisory will incorporate the 
recently discovered exploits and heartbleed together. 

I can tell you that in both instances, Jeremy is right on. Web interface 
as coded and provided by Citrix does not include or use vulnerable code 
related to heartbleed or open ssl.

But the underlying web host could and should be checked and mitigated if 
necessary. 

Greg



On Jun 8, 2014, at 8:24 PM, Jeremy Saunders <jeremy@xxxxxxxxxxxxxxxxxxxx> 
wrote:

That’s right Al. Web Interface itself is not vulnerable, but possibly the 
underlying IIS instance. The security team just needs to check that as 
they would with any other IIS instance.
 
Cheers,
Jeremy
 
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On 
Behalf Of Alan Tropper
Sent: Monday, 9 June 2014 9:17 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Citrix Webinterface -heartbleed
 
Hi All,
 
Our security team are concerned about heartbleed with the citrix 
webinterface server, however Im not so sure there is a vulnerability 
there, after reading the below I don’t think web interface is affected, 
can anyone out there confirm?
 
Quote: (
http://support.citrix.com/article/CTX140876%20%3Chttp://support.citrix.com/article/CTX140876%3E
)
 
“Citrix Web Interface: Web Interface makes use of the TLS functionality 
provided by the underlying web server. Citrix customers are advised to 
verify that any deployed web servers used to host Web Interface are not 
vulnerable to these issues. Web Interface can also use a built-in TLS 
library to make outgoing TLS connections, this library is not vulnerable 
to these CVEs”.
 
Thanks
 
Al
 
Alan Tropper
Service Delivery & Support | INPEX
Level 22 100 St Georges Tce | PERTH Western Australia 6000
T + 61 8 6213 6777 | F + 61 8 6213 6455 | 
Alan.Tropper@xxxxxxxxxxxx
 
The contents of this e-mail, including any attachments are the property of 
INPEX, are intended for use by the ordinary user of the e-mail address to 
which it was addressed and may also be privileged. If you are not the 
addressee of this e-mail you may not copy, forward, disclose or otherwise 
use it or any part of it in any form whatsoever. If you have received this 
e-mail in error please e-mail the sender by replying to this message. 
Emails sent or received may be monitored to ensure compliance with the 
law, regulation and/or INPEX policies. 

• Follow-Ups:
  • [THIN] Re: Citrix Webinterface -heartbleed
    • From: Jeremy Saunders

• References:
  • [THIN] Citrix Webinterface -heartbleed
    • From: Alan Tropper
  • [THIN] Re: Citrix Webinterface -heartbleed
    • From: Jeremy Saunders
  • [THIN] Re: Citrix Webinterface -heartbleed
    • From: Greg Reese

Other related posts:

• » [THIN] Citrix Webinterface -heartbleed- Alan Tropper
• » [THIN] Re: Citrix Webinterface -heartbleed- Jeremy Saunders
• » [THIN] Re: Citrix Webinterface -heartbleed- Greg Reese
• » [THIN] Re: Citrix Webinterface -heartbleed - Dan Dill
• » [THIN] Re: Citrix Webinterface -heartbleed- Jeremy Saunders

1. Home
2. thin
3. Archive
4. 06-2014

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---