Citrix is warning of two zero-day security vulnerabilities in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) that are being actively exploited in the wild.
The flaws are listed below –
- CVE-2023-6548 (CVSS score: 5.5) – Authenticated (low privileged) remote code execution on Management Interface (requires access to NSIP, CLIP, or SNIP with management interface access)
- CVE-2023-6549 (CVSS score: 8.2) – Denial-of-service (requires that the appliance be configured as a Gateway or authorization and accounting, or AAA, virtual server)
The following customer-managed versions of NetScaler ADC and NetScaler Gateway are impacted by the shortcomings –
- NetScaler ADC and NetScaler Gateway 14.1 before 14.1-12.35
- NetScaler ADC and NetScaler Gateway 13.1 before 13.1-51.15
- NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.21
- NetScaler ADC and NetScaler Gateway version 12.1 (currently end-of-life)
- NetScaler ADC 13.1-FIPS before 13.1-37.176
- NetScaler ADC 12.1-FIPS before 12.1-55.302, and
- NetScaler ADC 12.1-NDcPP before 12.1-55.302
“Exploits of these CVEs on unmitigated appliances have been observed,” Citrix said, without sharing any additional specifics. Users of NetScaler ADC and NetScaler Gateway version 12.1 are recommended to upgrade their appliances to a supported version that patches the flaws.
It’s also advised to not expose the management interface to the internet to reduce the risk of exploitation.
In recent months, multiple security vulnerabilities in Citrix appliances (CVE-2023-3519 and CVE-2023-4966) have been weaponized by threat actors to drop web shells and hijack existing authenticated sessions.
VMware Fixes Critical Aria Automation Flaw
The disclosure comes as VMware alerted customers of a critical security vulnerability in Aria Automation (previously vRealize Automation) that could allow an authenticated attacker to gain unauthorized access to remote organizations and workflows.
The issue has been assigned the CVE identifier CVE-2023-34063 (CVSS score: 9.9), with the Broadcom-owned virtualization services provider describing it as a “missing access control” flaw.
Commonwealth Scientific and Industrial Research Organization’s (CSIRO) Scientific Computing Platforms team has been credited with discovering and reporting the security vulnerability.
The versions impacted by the vulnerability are provided below –
- VMware Aria Automation (8.11.x, 8.12.x, 8.13.x, and 8.14.x)
- VMware Cloud Foundation (4.x and 5.x)
“The only supported upgrade path after applying the patch is to version 8.16,” VMware said. “If you upgrade to an intermediate version, the vulnerability will be reintroduced, requiring an additional round of patching.”
Atlassian Discloses Critical Code Execution Bug
The development also follows Atlassian’s release of patches for over two dozen vulnerabilities, including a critical remote code execution (RCE) flaw impacting Confluence Data Center and Confluence Server.
The vulnerability, CVE-2023-22527, has been assigned a CVSS score of 10.0, indicating maximum severity. It affects versions 8.0.x, 8.1.x, 8.2.x, 8.3.x, 8.4.x, and 8.5.0-8.5.3. It’s worth noting that 7.19.x LTS versions are not affected by the vulnerability.
“A template injection vulnerability on out-of-date versions of Confluence Data Center and Server allows an unauthenticated attacker to achieve RCE on an affected version,” the Australian company said.
The issue has been addressed in versions 8.5.4, 8.5.5 (Confluence Data Center and Server), 8.6.0, 8.7.1, and 8.7.2 (Data Center only). Users who are on out-of-date instances are recommended to update their installations to the latest version available.
