Citrix Hypervisor Security Update [CVE-2019-11477 and CVE-2019-11478]
CVE numbers – CVE-2019-11477 and CVE-2019-11478
A vulnerability has been found in Citrix Hypervisor (formerly Citrix XenServer) that may allow an unauthenticated attacker with the ability to send traffic to a host over a management or storage network to cause the host to crash.
This vulnerability is identified as:
• CVE-2019-11477: SACK Panic
A secondary issue, which allows an unauthenticated attacker with the ability to send traffic to a host over a management or storage network to cause a transient increase in memory and processor load within the control domain, has also been addressed. This issue is identified as:
• CVE-2019-11478: Excess resource usage
These issues affect all currently supported versions of Citrix Hypervisor up to and including Citrix Hypervisor 8.0.
Mitigating Factors
Customers with isolated management networks, as recommended by Citrix, have significantly mitigated this issue.
Hotfixes
Hotfixes have been released to address these issues. Citrix recommends that affected customers install these hotfixes as their patching schedules allow. The hotfixes can be downloaded from the following locations:
Citrix XenServer 8.0: CTX256714 – https://support.citrix.com/article/CTX256714
Citrix XenServer 7.6: CTX256713 – https://support.citrix.com/article/CTX256713
Citrix XenServer 7.1 LTSR CU2: CTX256712 – https://support.citrix.com/article/CTX256712
Citrix XenServer 7.0: CTX256711 – https://support.citrix.com/article/CTX256711
I am one of the editors here at www.systemtek.co.uk I am a UK based technology professional, with an interest in computer security and telecoms.