The Cybersecurity and Infrastructure Security Agency (CISA) has released a utility that enables users and administrators to test whether their Citrix Application Delivery Controller (ADC) and Citrix Gateway software is susceptible to the CVE-2019-19781 vulnerability. According to Citrix Security Bulletin CTX267027, beginning on January 20, 2020, Citrix will be releasing new versions of Citrix ADC and Citrix Gateway that will patch CVE-2019-19781.
CISA strongly advises affected organizations to review CERT/CC’s Vulnerability Note VU#619785 and Citrix Security Bulletin CTX267027 and apply the mitigations until Citrix releases new versions of the software.
The above follows a recently discovered vulnerability in Citrix ADC (former Netscaler). Details of the CVE can be found at: (https://support.citrix.com/article/CTX267027). There is no permanent fix yet but Citrix has published a workaround and estimated delivery of firmware patches: https://support.citrix.com/article/CTX267679. This CVE has been listed also in the National Vulnerability Database (NVD) of US NIST: https://nvd.nist.gov/vuln/detail/CVE-2019-19781.
Details of the CVE can also be found at: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19781 and https://www.cvedetails.com/vendor/422/Citrix.html.
Source: