As you know, we announced recently a vulnerability and comprehensive mitigations for certain versions of Citrix Application Delivery Controller (ADC), formerly known as NetScaler ADC, and Citrix Gateway, formerly known as NetScaler Gateway, and deployments of our Citrix SD-WAN WANOP product versions only on the WANOP platforms that, if exploited, could allow an unauthenticated attacker to perform arbitrary code execution.

Today we have made available permanent fixes for the impacted versions of Citrix SD-WAN WANOP. The fixes are available here.

To apply the security vulnerability fix, you need to upgrade all Citrix SD-WAN WANOP versions to build 10.2.6b or 11.0.3b as appropriate. These fixes are ONLY applicable to the SD-WAN 4000-WO, 5000-WO, 4100-WO, and 5100-WO platforms. All other SD-WAN PE and SD-WAN SE platforms are not impacted by this vulnerability and do not need to be patched.

Once you have upgraded and applied one of these fixes, you can use the tool we have previously provided to ensure the fixes have successfully been applied. While all the mitigations associated with CVE-2019-19781 are effective across all known scenarios, we strongly encourage customers to apply the permanent fixes as soon as possible.

Upgrade guides can be found on the download pages. While the updates are not difficult, we do recommend you review the instructions prior to installation. In addition, we have staffed our support center with strong networking technical resources who are ready to support you on the installs if needed.

Also, use the Indicators of Compromise tool announced the morning of January 22. The free tool, available under the Apache 2.0 open source license, provides customers with increased awareness of potential compromise related to the CVE-2019-19781 vulnerability on their systems. The tool is designed to allow customers to run it locally on their Citrix instances and receive a rapid assessment of potential Indicators of Compromise based on known attacks and exploits.

As always, we remain deeply committed to the security of our solutions and to helping you manage CVE-2019-19781 and will continue to provide updates and support via our Support Knowledge Center. To receive updates automatically, visit: https://support.citrix.com/user/alerts.

Updated timeline for permanent fixes outlined below:

Citrix ADC and Citrix Gateway
Version Refresh Build Release Date
11.1 11.1.63.15 January 19, 2020
12.0 12.0.63.13 January 19, 2020
12.1 12.1.55.x January 24, 2020
10.5 10.5.70.x January 24, 2020
13.0 13.0.47.x January 24, 2020
Citrix SD-WAN WANOP
Release Citrix ADC Release Release Date
10.2.6b 11.1.51.615 January 22, 2020
11.0.3b 11.1.51.615 January 22, 2020