Fair call. But to be clearer, it’s not about MS IIS, but other services running within the instance. Often in smaller deployments you could have multiple applications deployed on the same IIS instance. So we can’t say that the Web Server is fine, only that Web Interface is. Cheers, Jeremy From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Dan Dill Sent: Monday, 9 June 2014 1:57 PM To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: Citrix Webinterface -heartbleed Believe MS is unaffected as they don't use openSSL, they roll their own code for that functionality which was not affected. But of course do your own checking :) Dan From: Greg Reese <gareese@xxxxxxxxx<mailto:gareese@xxxxxxxxx>> To: "thin@xxxxxxxxxxxxx<mailto:thin@xxxxxxxxxxxxx>" <thin@xxxxxxxxxxxxx<mailto:thin@xxxxxxxxxxxxx>>, Date: 06/08/2014 07:12 PM Subject: [THIN] Re: Citrix Webinterface -heartbleed Sent by: thin-bounce@xxxxxxxxxxxxx<mailto:thin-bounce@xxxxxxxxxxxxx> ________________________________ Look for an update regarding ssl soon. A new advisory will incorporate the recently discovered exploits and heartbleed together. I can tell you that in both instances, Jeremy is right on. Web interface as coded and provided by Citrix does not include or use vulnerable code related to heartbleed or open ssl. But the underlying web host could and should be checked and mitigated if necessary. Greg On Jun 8, 2014, at 8:24 PM, Jeremy Saunders <jeremy@xxxxxxxxxxxxxxxxxxxx<mailto:jeremy@xxxxxxxxxxxxxxxxxxxx>> wrote: That’s right Al. Web Interface itself is not vulnerable, but possibly the underlying IIS instance. The security team just needs to check that as they would with any other IIS instance. Cheers, Jeremy From: thin-bounce@xxxxxxxxxxxxx<mailto:thin-bounce@xxxxxxxxxxxxx> [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Alan Tropper Sent: Monday, 9 June 2014 9:17 AM To: thin@xxxxxxxxxxxxx<mailto:thin@xxxxxxxxxxxxx> Subject: [THIN] Citrix Webinterface -heartbleed Hi All, Our security team are concerned about heartbleed with the citrix webinterface server, however Im not so sure there is a vulnerability there, after reading the below I don’t think web interface is affected, can anyone out there confirm? Quote: (http://support.citrix.com/article/CTX140876%20%3Chttp://support.citrix.com/article/CTX140876%3E<http://cp.mcafee.com/d/2DRPos920QrhoKCCed79EVvhdTdETh7fe9TvudETh7fe9EICzASztx5xxNwQsLCQrELce6zBxB4SxIegAuu2HriRoHsKrJJblyJOVLXL8LCzBB_HYyDtdBBPHTbFFK3Khuso7c6zDBHFShjlKeoVkffGhBrwqrhdECXCXCM0t6RBGNDRFjz8fVvdzelz_Mi1838Inu7e3QXzSh8DeqOmkrmmH6vmBecw_BYScVmf_184wcyNtUsUfp6zsOsE5O5mUmY5eN_PVkDjw09J5wsOYrdbo92Uq33iWq80nWhEw4Fjz8fd402-gB2vNtSTCy0Kj_oP87_W1JxcTaam6zqBaR1x>) “Citrix Web Interface: Web Interface makes use of the TLS functionality provided by the underlying web server. Citrix customers are advised to verify that any deployed web servers used to host Web Interface are not vulnerable to these issues. Web Interface can also use a built-in TLS library to make outgoing TLS connections, this library is not vulnerable to these CVEs”. Thanks Al Alan Tropper Service Delivery & Support | INPEX Level 22 100 St Georges Tce | PERTH Western Australia 6000 T + 61 8 6213 6777 | F + 61 8 6213 6455 | Alan.Tropper@xxxxxxxxxxxx<mailto:Alan.Tropper@xxxxxxxxxxxx> The contents of this e-mail, including any attachments are the property of INPEX, are intended for use by the ordinary user of the e-mail address to which it was addressed and may also be privileged. If you are not the addressee of this e-mail you may not copy, forward, disclose or otherwise use it or any part of it in any form whatsoever. If you have received this e-mail in error please e-mail the sender by replying to this message. Emails sent or received may be monitored to ensure compliance with the law, regulation and/or INPEX policies.