Tuesday 17 November 2020
The impact of this issue announcement is medium. Please act accordingly to rectify the issue, as stated below.
The flaws affect the Citrix SD-WAN Center in versions before 11.2.2, 11.1.2b, and 10.2.8.
What you need to know:
Citrix has released a security update to address an unauthenticated path traversal and shell injection problem (CVE-2020-8271), a ConfigEditor authentication bypass (CVE-2020-8272), and a CreateAzureDeployment shell injection issue (CVE-2020-8273) in the Citrix software-defined (SD)-WAN platform.
Actions to be taken:
This vulnerability has been addressed in the following versions of Citrix SD-WAN Center:
- Citrix SD-WAN 11.2.2 and later versions of Citrix SD-WAN 11.2
- Citrix SD-WAN 11.1.2b and later versions of Citrix SD-WAN 11.1
- Citrix SD-WAN 10.2.8 and later versions of Citrix SD-WAN 10.2
As for the mitigation, Citrix SD-WAN Center is an internal management platform for Citrix SD-WAN. Hence, access to Citrix SD-WAN Center is likely to be restricted.
The latest versions of Citrix SD-WAN Center can be downloaded from https://www.citrix.com/en-gb/downloads/citrix-sd-wan/