Debian Linux Security Advisory 5537-1 - Several vulnerabilities have been discovered in the OpenJDK Java runtime, which may result in bypass of sandbox restrictions or denial of service.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5537-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffOctober 27, 2023                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : openjdk-11CVE ID         : CVE-2023-22067 CVE-2023-22081Several vulnerabilities have been discovered in the OpenJDK Java runtime,which may result in bypass of sandbox restrictions or denial of service.For the oldstable distribution (bullseye), these problems have been fixedin version 11.0.21+9-1~deb11u1.We recommend that you upgrade your openjdk-11 packages.For the detailed security status of openjdk-11 please refer toits security tracker page at:https://security-tracker.debian.org/tracker/openjdk-11Further information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmU74DgACgkQEMKTtsN8Tjbrug/+K+/T0ydiyOhIQ/4s4rrQr2YBx0miVGaBTFjuAEw/YduTbIT4eLsJsWOZeQ2dg2ZkIFtW1Ngs7QUaA7WgAjgAu7tnW90rZYFiQalcxPlwAmnSWZSYM9SSaW9p/AHARm8uSQ0YKjlnskCEDVXODVggzOQLpvVF2oA8MA+1Rtb6hnl1W4u+IDXvhXCZzniKheuAe/G9iz0nY8wHgEVNfIc1KO+MKFyD8Z655kH8qgGuMcyORGYDFDX4l6luorc/dA15dr90pokg0TD/2L2dIbkEsj0zOePzU6yZsYTBgQ878Y8gdJnCirpSS/ZaCKWAOSX+fARW+wVUsscvpUh/TcDyHEKh8EjA05ahaiqp6/gvScz8H9rbebYw32glFEu89JMgfDLAI137YLqkfOWhLIKvCzZ+u+drpg7Hf0yjDU0dPWWzc0KHd/asClDxyec5N5zlDCI7eGvY2zxH0TsGqiyed2GVTPi1TR3FWRRvlCC1uKiZF9vdmQZTubDzqpjR7gGbVIyGfn6lYDOxqhOTq7ftoJ3+BjCBxuaxZmHBtw2QzQCb8pJalQj1D2IgqsMBAt92pdD+3DyXjEYnFHNRr330uDiVg2ZeadatRkm+VwiI+pJGwkl+1Xrom1Mg2SQkeNtiY5IO3lGAjIhU8b0TkbrgdMoM3j0zI4dQkX8+BRV5YKM==UEly-----END PGP SIGNATURE-----

Debian Security Advisory 5537-1

Gentoo Linux Security Advisory 202310-18 - Multiple vulnerabilities have been discovered in Rack, the worst of which can lead to sequence injection in logging components. Versions greater than or equal to 2.2.3.1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202310-18  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: Rack: Multiple Vulnerabilities  
     Date: October 30, 2023  
     Bugs: #884795  
       ID: 202310-18

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

Multiple vulnerabilities have been discovered in Rack, the worst of  
which can lead to sequence injection in logging compontents.

Background  
==========

Rack is a modular Ruby web server interface.

Affected packages  
=================

Package        Vulnerable    Unaffected  
-------------  ------------  ------------  
dev-ruby/rack  < 2.2.3.1     >= 2.2.3.1

Description  
===========

Multiple vulnerabilities have been discovered in Rack. Please review the  
CVE identifiers referenced below for details.

Impact  
======

A possible denial of service vulnerability was found in the multipart  
parsing component of Rack.

A sequence injection vulnerability was found which could allow a  
possible shell escape in the Lint and CommonLogger components of Rack.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Rack users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=dev-ruby/rack-2.2.3.1"

References  
==========

[ 1 ] CVE-2022-30122  
      https://nvd.nist.gov/vuln/detail/CVE-2022-30122  
[ 2 ] CVE-2022-30123  
      https://nvd.nist.gov/vuln/detail/CVE-2022-30123

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202310-18

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202310-18

Ubuntu Security Notice 6456-1 - Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information across domains, or execute arbitrary code. Kelsey Gilbert discovered that Firefox did not properly manage certain browser prompts and dialogs due to an insufficient activation-delay. An attacker could potentially exploit this issue to perform clickjacking.

    ==========================================================================Ubuntu Security Notice USN-6456-1October 30, 2023firefox vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 20.04 LTSSummary:Several security issues were fixed in Firefox.Software Description:- firefox: Mozilla Open Source web browserDetails:Multiple security issues were discovered in Firefox. If a user weretricked into opening a specially crafted website, an attacker couldpotentially exploit these to cause a denial of service, obtain sensitiveinformation across domains, or execute arbitrary code. (CVE-2023-5722,CVE-2023-5724, CVE-2023-5728, CVE-2023-5729, CVE-2023-5730, CVE-2023-5731)Kelsey Gilbert discovered that Firefox did not properly manage certainbrowser prompts and dialogs due to an insufficient activation-delay. Anattacker could potentially exploit this issue to perform clickjacking.(CVE-2023-5721)Daniel Veditz discovered that Firefox did not properly validate a cookiecontaining invalid characters. An attacker could potentially exploit thisissue to cause a denial of service. (CVE-2023-5723)Shaheen Fazim discovered that Firefox did not properly validate the URLsopen by installed WebExtension. An attacker could potentially exploit thisissue to obtain sensitive information. (CVE-2023-5725)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 20.04 LTS:  firefox                         119.0+build2-0ubuntu0.20.04.1After a standard system update you need to restart Firefox to make all thenecessary changes.References:  https://ubuntu.com/security/notices/USN-6456-1  CVE-2023-5721, CVE-2023-5722, CVE-2023-5723, CVE-2023-5724,  CVE-2023-5725, CVE-2023-5728, CVE-2023-5729, CVE-2023-5730,  CVE-2023-5731Package Information:  https://launchpad.net/ubuntu/+source/firefox/119.0+build2-0ubuntu0.20.04.1

Ubuntu Security Notice USN-6456-1

Red Hat Security Advisory 2023-6161-01 - The Migration Toolkit for Containers 1.7.14 is now available. Issues addressed include a denial of service vulnerability.

The following data is constructed from data provided by Red Hat's json file at:

https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_6161.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: Migration Toolkit for Containers (MTC) 1.7.14 security and bug fix update  
Advisory ID:        RHSA-2023:6161-01  
Product:            Red Hat Migration Toolkit  
Advisory URL:       https://access.redhat.com/errata/RHSA-2023:6161  
Issue date:         2023-10-30  
Revision:           01  
CVE Names:          CVE-2023-29406  
====================================================================

Summary: 

The Migration Toolkit for Containers (MTC) 1.7.14 is now available.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

The Migration Toolkit for Containers (MTC) enables you to migrate Kubernetes resources, persistent volume data, and internal container images between OpenShift Container Platform clusters, using the MTC web console or the Kubernetes API.

Security Fix(es) from Bugzilla:

* HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)

* golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487) (CVE-2023-39325)

* golang: net/http: insufficient sanitization of Host header (CVE-2023-29406)

* golang: crypto/tls: slow verification of certificate chains containing large RSA keys (CVE-2023-29409)

* golang: html/template: improper handling of special tags within script contexts (CVE-2023-39319)

* golang: html/template:  improper handling of HTML-like comments within script contexts (CVE-2023-39318)

* golang: crypto/tls: panic when processing post-handshake message on QUIC connections (CVE-2023-39321)

* golang: crypto/tls: lack of a limit on buffered post-handshake (CVE-2023-39322)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Solution:

https://access.redhat.com/articles/11258

CVEs:

CVE-2023-29406

References:

https://access.redhat.com/security/updates/classification/#important  
https://access.redhat.com/security/vulnerabilities/RHSB-2023-003

Red Hat Security Advisory 2023-6161-01

Red Hat Security Advisory 2023-6158-01 - An update is now available for Red Hat Ansible Automation Platform 2.4.

    The following data is constructed from data provided by Red Hat's json file at:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_6158.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: Red Hat Ansible Automation Platform 2.4 Product Security and Bug Fix UpdateAdvisory ID:        RHSA-2023:6158-01Product:            Red Hat Ansible Automation PlatformAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:6158Issue date:         2023-10-30Revision:           01CVE Names:          CVE-2023-43665====================================================================Summary: An update is now available for Red Hat Ansible Automation Platform 2.4Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Red Hat Ansible Automation Platform provides an enterprise framework for building, deploying and managing IT automation at scale. IT Managers can provide top-down guidelines on how automation is applied to individual teams, while automation developers retain the freedom to write tasks that leverage existing knowledge without the overhead. Ansible Automation Platform makes it possible for users across an organization to share, vet, and manage automation content by means of a simple, powerful, and agentless language.Security Fix(es):*  automation-controller: Django: Denial-of-service possibility in django.utils.text.Truncator (CVE-2023-43665)* python3-urllib3/python39-urllib3: Cookie request header isn't stripped during cross-origin redirects (CVE-2023-43804)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Updates and fixes for automation controller:* automation-controller has been updated to 4.4.7* Cleaned up SOS report passwords (AAP-17544)* Customers using the \"infra.controller_configuration\" collection (which uses \"ansible.controller\" collection) to update their Ansible Automation Platform environment no longer receive an HTTP 499 response (AAP-17422)Additional changes:* python3-urllib3/python39-urllib3 has been updated to 1.26.18Solution:CVEs:CVE-2023-43665References:https://access.redhat.com/security/updates/classification/#moderate

Red Hat Security Advisory 2023-6158-01

Red Hat Security Advisory 2023-6144-01 - An update for custom-metrics-autoscaler-adapter-container, custom-metrics-autoscaler-admission-webhooks-container, custom-metrics-autoscaler-container, custom-metrics-autoscaler-operator-bundle-container, and custom-metrics-autoscaler-operator-container is now available for the Custom Metric Autoscaler operator for Red Hat OpenShift. Issues addressed include a denial of service vulnerability.

    The following data is constructed from data provided by Red Hat's json file at:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_6144.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: Custom Metric Autoscaler operator for Red Hat OpenShift security updateAdvisory ID:        RHSA-2023:6144-01Product:            OpenShift Custom Metrics AutoscalerAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:6144Issue date:         2023-10-30Revision:           01CVE Names:          CVE-2023-44487====================================================================Summary: An update for custom-metrics-autoscaler-adapter-container, custom-metrics-autoscaler-admission-webhooks-container, custom-metrics-autoscaler-container, custom-metrics-autoscaler-operator-bundle-container, and custom-metrics-autoscaler-operator-container is now available for the Custom Metric Autoscaler operator for Red Hat OpenShift.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Security Fix(es):* HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-44487References:https://access.redhat.com/security/updates/classification/#importanthttps://access.redhat.com/security/vulnerabilities/RHSB-2023-003

Red Hat Security Advisory 2023-6144-01

Red Hat Security Advisory 2023-6022-01 - An update for the varnish:6 module is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions. Issues addressed include a denial of service vulnerability.

    The following data is constructed from data provided by Red Hat's json file at:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_6022.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: varnish:6 security updateAdvisory ID:        RHSA-2023:6022-01Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:6022Issue date:         2023-10-27Revision:           01CVE Names:          CVE-2023-44487====================================================================Summary: An update for the varnish:6 module is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Varnish Cache is a high-performance HTTP accelerator. It stores web pages in memory so web servers don't have to create the same web page over and over again, giving the website a significant speed up.Security Fix(es):* HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-44487References:https://access.redhat.com/security/updates/classification/#importanthttps://access.redhat.com/security/vulnerabilities/RHSB-2023-003

Red Hat Security Advisory 2023-6022-01

Red Hat Security Advisory 2023-6021-01 - An update for the varnish:6 module is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions. Issues addressed include a denial of service vulnerability.

    The following data is constructed from data provided by Red Hat's json file at:https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_6021.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: varnish:6 security updateAdvisory ID:        RHSA-2023:6021-01Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2023:6021Issue date:         2023-10-27Revision:           01CVE Names:          CVE-2023-44487====================================================================Summary: An update for the varnish:6 module is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Varnish Cache is a high-performance HTTP accelerator. It stores web pages in memory so web servers don't have to create the same web page over and over again, giving the website a significant speed up.Security Fix(es):* HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-44487References:https://access.redhat.com/security/updates/classification/#importanthttps://access.redhat.com/security/vulnerabilities/RHSB-2023-003

Red Hat Security Advisory 2023-6021-01

An issue was discovered in VERMEG AgileReporter 21.3. XXE can occur via an XML document to the Analysis component.

CVE-2022-34832: XXE in AgileReporter 21.3 by VERMEG

Denial of Service in NetScaler ADC and NetScaler Gateway when configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA Virtual Server

CTX579459

{{tooltipText}}

Security Bulletin | Severity: Critical | {{likeCount}} found this helpful | Created: {{articleFormattedCreatedDate}} | Modified: {{articleFormattedModifiedDate}} | Status: Final

**Description of Problem**

Multiple vulnerabilities have been discovered in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway).

Affected Versions: 

The following supported versions of NetScaler ADC and NetScaler Gateway are affected by the vulnerabilities: 

*   NetScaler ADC and NetScaler Gateway 14.1 before 14.1-8.50
*   NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.15
*   NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.19
*   NetScaler ADC 13.1-FIPS before 13.1-37.164
*   NetScaler ADC 12.1-FIPS before 12.1-55.300
*   NetScaler ADC 12.1-NDcPP before 12.1-55.300

Note: NetScaler ADC and NetScaler Gateway version 12.1 is now End-of-Life (EOL) and is vulnerable.

This bulletin only applies to customer-managed NetScaler ADC and NetScaler Gateway products. Customers using Citrix-managed cloud services or Citrix-managed Adaptive Authentication do not need to take any action.

Summary: 

NetScaler ADC and NetScaler Gateway contain unauthenticated buffer-related vulnerabilities mentioned below 

CVE ID

Description

Pre-requisites

CWE

CVSS

CVE-2023-4966

Sensitive information disclosure

Appliance must be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server

Improper Restriction of Operations within the Bounds of a Memory BufferCWE-119

9.4

CVE-2023-4967

Denial of service

Appliance must be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server

Improper Restriction of Operations within the Bounds of a Memory BufferCWE-119

8.2

**Mitigating Factors**

None.

**What Customers Should Do**

**Exploits of CVE-2023-4966 on unmitigated appliances have been observed.** Cloud Software Group strongly urges customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions of NetScaler ADC and NetScaler Gateway as soon as possible: 

*   NetScaler ADC and NetScaler Gateway 14.1-8.50  and later releases
*   NetScaler ADC and NetScaler Gateway  13.1-49.15  and later releases of 13.1
*   NetScaler ADC and NetScaler Gateway 13.0-92.19 and later releases of 13.0  
*   NetScaler ADC 13.1-FIPS 13.1-37.164 and later releases of 13.1-FIPS  
*   NetScaler ADC 12.1-FIPS 12.1-55.300 and later releases of 12.1-FIPS  
*   NetScaler ADC 12.1-NDcPP 12.1-55.300 and later releases of 12.1-NDcPP 

Note: NetScaler ADC and NetScaler Gateway version 12.1 is now End-of-Life (EOL). Customers are recommended to upgrade their appliances to one of the supported versions that address the vulnerabilities.

Cloud Software Group has also published a related blog at https://www.netscaler.com/blog/news/cve-2023-4966-critical-security-update-now-available-for-netscaler-adc-and-netscaler-gateway/ which contains a further context.

**What Citrix is Doing**

Citrix is notifying customers and channel partners about this potential security issue through the publication of this security bulletin on the Citrix Knowledge Center at https://support.citrix.com/securitybulletins.

**Obtaining Support on This Issue**

If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at https://www.citrix.com/support/open-a-support-case.

**Subscribe to Receive Alerts**

Citrix strongly recommends that all customers subscribe to receive alerts when a Citrix security bulletin is created or modified at https://support.citrix.com/user/alerts.

**Reporting Security Vulnerabilities to Citrix**

Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For details on our vulnerability response process and guidance on how to report security-related issues to Citrix, please see the following webpage: https://www.citrix.com/about/trust-center/vulnerability-process.html.

**Disclaimer**

This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document is at your own risk. Citrix reserves the right to change or update this document at any time. Customers are therefore recommended to always view the latest version of this document directly from the Citrix Knowledge Center.

**Changelog**

2023-10-10 T 16:00:00Z

Initial Publication

2023-10-17 T 16:00:00Z

Inclusion of information related to the exploitation of CVE-2023-4966

2023-10-23 T 16:00:00Z

Inclusion of a link to the Cloud Software Group blog post about CVE-2023-4966

Tag

#dos