New Vulnerabilities Affect Cloud Computing Providers Citrix, VMWare, and Atlassian—Here’s What You Need to Know
The cloud computing companies Citrix, VMware, and Atlassian were recently affected by critical security vulnerabilities. While you may have heard about these vulnerabilities in the news, it’s important to know that not all organizations need to take action.
- No action needed: If you’re an organization leveraging any of these managed services through the cloud or Software as a Service (SaaS), no action is necessary.
- Action needed: If your organization is self-hosting any of the affected softwares, you will need to update your software as soon as possible.
For organizations already leveraging these services, the provider is responsible for patching the software. Please note the following information from each respective vendor:
Citrix
Citrix stated, “This bulletin only applies to customer-managed NetScaler ADC and NetScaler Gateway products. Customers using Citrix-managed cloud services or Citrix-managed Adaptive Authentication do not need to take any action.”
VMware
VMSA-2024-0001 Questions and Answers
According to VMware, Aria Automation Cloud was not affected, stating, “Remediation measures have already been implemented for systems and services managed by VMware, as part of the shared responsibility model.”
Atlassian
Altassian confirms that Atlassian Cloud sites are not affected by this vulnerability, adding, “If your Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue.”
If you do not leverage these managed services and are affected by these vulnerabilities, take a look at the details below to learn how your organization can update your software to the latest version.
Citrix Warns About Zero-Day Vulnerabilities
Recently, Citrix warned users of two zero-day security vulnerabilities in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) that are being actively exploited in the wild.
The Citrix vulnerabilities include:
- CVE-2023-6548—Authenticated (low privileged) remote code execution on Management Interface (requires access to NSIP, CLIP, or SNIP with management interface access)
- CVE-2023-6549–-Denial-of-service (requires that the appliance be configured as a Gateway or authorization and accounting, or AAA, virtual server)
The flaws impact the following customer-managed versions of NetScaler ADC and NetScaler Gateway:
- NetScaler ADC and NetScaler Gateway 14.1 before 14.1-12.35
- NetScaler ADC and NetScaler Gateway 13.1 before 13.1-51.15
- NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.21
- NetScaler ADC and NetScaler Gateway version 12.1 (currently end-of-life)
- NetScaler ADC 13.1-FIPS before 13.1-37.176
- NetScaler ADC 12.1-FIPS before 12.1-55.302, and
- NetScaler ADC 12.1-NDcPP before 12.1-55.302
Users of NetScaler ADC and NetScaler Gateway version 12.1 are recommended to upgrade their appliances to a supported version that patches the flaws. It’s also advised not to expose the management interface to the internet to reduce the risk of exploitation.
VMware Fixes Critical Flaw
VMware, an American cloud computing and virtualization technology company, recently alerted customers of a critical security vulnerability in Aria Automation (previously vRealize Automation) that could allow an authenticated attacker to gain unauthorized access to remote organizations and workflows.
The issue has been assigned the CVE identifier CVE-2023-34063, described as a missing access control flaw, and the versions impacted by the vulnerability include:
- VMware Aria Automation (8.11.x, 8.12.x, 8.13.x, and 8.14.x)
- VMware Cloud Foundation (4.x and 5.x)
According to VMware, “The only supported upgrade path after applying the patch is to version 8.16. If you upgrade to an intermediate version, the vulnerability will be reintroduced, requiring an additional round of patching.”
Atlassian Updates Critical Code Execution Bug
The Australian-based software company, Atlassian recently released patches for over two dozen vulnerabilities, including a critical remote code execution (RCE) flaw impacting the Confluence Data Center and Confluence Server. It’s recommended that organizations update their installations as soon as possible.
The vulnerability CVE-2023-22527 affects versions 8.0.x, 8.1.x, 8.2.x, 8.3.x, 8.4.x, and 8.5.0-8.5.3. Atlassian Cloud sites are not affected by this vulnerability.
“A template injection vulnerability on out-of-date versions of Confluence Data Center and Server allows an unauthenticated attacker to achieve RCE on an affected version,” said Atlassian.
Why consider managed services over self-hosting?
If you’re currently self-hosting a managed service provider and considering leveraging its cloud services, here are a few recommendations from our Manager of Cybersecurity Consulting Larry Kinkaid.
“One of the advantages of using services like Atlassian Cloud is that patching is the provider’s responsibility. In the case of vulnerabilities like the examples above, the service providers should have remediated the issues based on the shared responsibility model of Software as a Service (SaaS) providers,” said Kinkaid.
Kinkaid added, “Unless you can maintain an adequate patching program, I recommend using a SaaS for your software applications so your organization can avoid ongoing threats. Especially if the software isn’t critical to your mission.”
“If the software is critical to the mission, then by all means, you should consider self-hosting. But self-hosting is only successful if patching infrastructure and software is a core competency of your organization.”
Customers of these organizations should read the disclosures carefully to ensure they take the proper actions based on the information provided.
Contact us today for more information on how BARR can help your organization stay protected and up-to-date on cloud computing software updates.