Overview
Citrix has reported two vulnerabilities (CVE-2023-4966 and CVE-2023-4967) discovered in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) that could lead to a denial-of-service attack or the disclosure of sensitive information. The affected versions are as follow:
- NetScaler ADC and NetScaler Gateway 14.1 before 14.1-8.50
- NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.15
- NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.19
- NetScaler ADC 13.1-FIPS before 13.1-37.164
- NetScaler ADC 12.1-FIPS before 12.1-55.300
- NetScaler ADC 12.1-NDcPP before 12.1-55.300
- (NetScaler ADC and NetScaler Gateway version 12.1 is now End-of-Life (EOL) and is vulnerable.)
Atlassian has reported a ‘broken access control’ vulnerability (CVE-2023-22515) in the Confluence Data Center and Server. This vulnerability would allow an attacker to create administrator accounts and access Confluence instances. It is believed that nation-state attackers are actively exploiting the vulnerability. If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue.
Microsoft has released its October 2023 update. Two critical vulnerabilities: CVE-2023-35349 affecting Microsoft Message Queuing and CVE-2023-36434 affecting Windows IIS Server. Respectively, they could allow remote code execution and privilege escalation.
Windows Server 2012 and 2012 R2 have also reached end-of-life and will no longer longer receive security updates, non-security updates, bug fixes, technical support, or online technical content updates. We recommended organisations still using these products update immediately.
Recommended Action
Organisations are encouraged to review the appropriate security advisory pages and apply the updates:
Citrix – Security Advisory
Atlassian – Security Articles
Microsoft – Release Notes
If you have any concerns, or have been affected by a cyber-related issue, report it to us by submitting a Cyber Concerns Online Reporting Form.