Citrix has completed its patch release timeline for NetScaler vulnerability (CVE-2019-19781) across its affected products.
Released on January 25, permanent fixes are available for Citrix Application Delivery Controller (ADC) version 10.5 to address the vulnerability.
This release follows fixes for ADC and Citrix Gateway versions 11.1, 12.0, 12.1 and 13.0 and Citrix SD-WAN 4000-WO, 5000-WO, 4100-WO and 5100-WO which were made available over the last week.
These fixes are available to all customers even if they don’t have an active maintenance contract with Citrix.
Fermin J. Serna, chief information security officer at Citrix, said in a blog post he “deeply regret[s]” the impact of the vulnerability on customers.
“Customer security is a top priority for Citrix, and we remain fully committed to ensuring that all customers remediate their systems for the CVE-2019-19781 vulnerability,” Serna said. “To that end, we will keep all enhanced customer support measures in place for as long as necessary. We strongly urge all customers to immediately install these fixes.”
If left unpatched, the vulnerability can lead to arbitrary code execution by malicious users. This release aligns with Citrix’s expedited patch timeline, which estimated a 25 January completion date.
Serna added that customers should also use the Indicator of Compromise Scanning tool, developed in collaboration with FireEye Mandiant, which can identify potential CVE-2019-19781 vulnerabilities in systems.
Interested users can access the tool via Citrix’s GitHub repository.