[THIN] Re: Citrix Webinterface -heartbleed
- From: Jeremy Saunders <jeremy@xxxxxxxxxxxxxxxxxxxx>
- To: "thin@xxxxxxxxxxxxx" <thin@xxxxxxxxxxxxx>
- Date: Mon, 9 Jun 2014 06:15:03 +0000
Fair call. But to be clearer, it’s not about MS IIS, but other services running
within the instance. Often in smaller deployments you could have multiple
applications deployed on the same IIS instance. So we can’t say that the Web
Server is fine, only that Web Interface is.
Cheers,
Jeremy
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of
Dan Dill
Sent: Monday, 9 June 2014 1:57 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Citrix Webinterface -heartbleed
Believe MS is unaffected as they don't use openSSL, they roll their own code
for that functionality which was not affected.
But of course do your own checking :)
Dan
From: Greg Reese <gareese@xxxxxxxxx<mailto:gareese@xxxxxxxxx>>
To: "thin@xxxxxxxxxxxxx<mailto:thin@xxxxxxxxxxxxx>"
<thin@xxxxxxxxxxxxx<mailto:thin@xxxxxxxxxxxxx>>,
Date: 06/08/2014 07:12 PM
Subject: [THIN] Re: Citrix Webinterface -heartbleed
Sent by: thin-bounce@xxxxxxxxxxxxx<mailto:thin-bounce@xxxxxxxxxxxxx>
________________________________
Look for an update regarding ssl soon. A new advisory will incorporate the
recently discovered exploits and heartbleed together.
I can tell you that in both instances, Jeremy is right on. Web interface as
coded and provided by Citrix does not include or use vulnerable code related to
heartbleed or open ssl.
But the underlying web host could and should be checked and mitigated if
necessary.
Greg
On Jun 8, 2014, at 8:24 PM, Jeremy Saunders
<jeremy@xxxxxxxxxxxxxxxxxxxx<mailto:jeremy@xxxxxxxxxxxxxxxxxxxx>> wrote:
That’s right Al. Web Interface itself is not vulnerable, but possibly the
underlying IIS instance. The security team just needs to check that as they
would with any other IIS instance.
Cheers,
Jeremy
From: thin-bounce@xxxxxxxxxxxxx<mailto:thin-bounce@xxxxxxxxxxxxx>
[mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Alan Tropper
Sent: Monday, 9 June 2014 9:17 AM
To: thin@xxxxxxxxxxxxx<mailto:thin@xxxxxxxxxxxxx>
Subject: [THIN] Citrix Webinterface -heartbleed
Hi All,
Our security team are concerned about heartbleed with the citrix webinterface
server, however Im not so sure there is a vulnerability there, after reading
the below I don’t think web interface is affected, can anyone out there confirm?
Quote:
(http://support.citrix.com/article/CTX140876%20%3Chttp://support.citrix.com/article/CTX140876%3E<http://cp.mcafee.com/d/2DRPos920QrhoKCCed79EVvhdTdETh7fe9TvudETh7fe9EICzASztx5xxNwQsLCQrELce6zBxB4SxIegAuu2HriRoHsKrJJblyJOVLXL8LCzBB_HYyDtdBBPHTbFFK3Khuso7c6zDBHFShjlKeoVkffGhBrwqrhdECXCXCM0t6RBGNDRFjz8fVvdzelz_Mi1838Inu7e3QXzSh8DeqOmkrmmH6vmBecw_BYScVmf_184wcyNtUsUfp6zsOsE5O5mUmY5eN_PVkDjw09J5wsOYrdbo92Uq33iWq80nWhEw4Fjz8fd402-gB2vNtSTCy0Kj_oP87_W1JxcTaam6zqBaR1x>)
“Citrix Web Interface: Web Interface makes use of the TLS functionality
provided by the underlying web server. Citrix customers are advised to verify
that any deployed web servers used to host Web Interface are not vulnerable to
these issues. Web Interface can also use a built-in TLS library to make
outgoing TLS connections, this library is not vulnerable to these CVEs”.
Thanks
Al
Alan Tropper
Service Delivery & Support | INPEX
Level 22 100 St Georges Tce | PERTH Western Australia 6000
T + 61 8 6213 6777 | F + 61 8 6213 6455 |
Alan.Tropper@xxxxxxxxxxxx<mailto:Alan.Tropper@xxxxxxxxxxxx>
The contents of this e-mail, including any attachments are the property of
INPEX, are intended for use by the ordinary user of the e-mail address to which
it was addressed and may also be privileged. If you are not the addressee of
this e-mail you may not copy, forward, disclose or otherwise use it or any part
of it in any form whatsoever. If you have received this e-mail in error please
e-mail the sender by replying to this message. Emails sent or received may be
monitored to ensure compliance with the law, regulation and/or INPEX policies.
Other related posts:
