• Skip to main content
  • Skip to secondary menu
  • Skip to primary sidebar
  • Skip to footer
NetScaler Blog

NetScaler Blog

Application delivery and security blog

Application delivery and security blog
  • Application delivery
  • Application and API security
  • Application modernization
  • Observability
  • News

Guidance on CVEs that may affect your NetScaler deployment

July 9, 2024 by Anil Shetty

Protect your NetScaler deployment from vulnerabilities

On July 9, 2024, NetScaler released builds to fix the following CVEs: 

  • CVE-2024-6235 affects NetScaler Console (formerly NetScaler ADM) CVE-2024-6236, affects NetScaler Console, NetScaler Agent and NetScaler SVM, but not NetScaler VPX instances in NetScaler SDX
  • CVE-2024-5491 and CVE-2024-5492 affects NetScaler (NetScaler ADC and NetScaler Gateway)

Third-Party CVE:

  • CVE-2024-6387 is third-party software  vulnerability on the open source OpenSSH module and affects NetScaler (NetScaler ADC and NetScaler Gateway)

All five of these CVEs apply only to customer-managed instances of NetScaler. If you have NetScaler-managed infrastructure, such as NetScaler Console Service, you do not need to take any action.

CVE-2024-6235 and CVE-2024-6236

CVE-2024-6235, identified as a critical severity vulnerability, allows sensitive information disclosure.  CVE-2024-6236, identified as a High severity vulnerability, allows for a denial of service attack.

We discovered these vulnerabilities as a result of internal research and are unaware of any exploits in the wild.  

If you are using affected builds and have NetScaler Console exposed to the public internet, we strongly recommend that you immediately install the recommended updates (NetScaler ADC and NetScaler Gateway and NetScaler Console). Please note that our configuration guidance is that you should not expose NetScaler Console or elements of it to the public internet. Rather, you should keep the NetScaler Console IP on a private network.

While we cannot provide exact numbers, there are indications that the number of customer-managed versions of NetScaler Console exposed to the internet is small relative to the number of NetScaler ADCs deployed worldwide.

However, even if NetScaler Console is not exposed externally, we still recommend installing the relevant update to protect against malicious insider threats.  

CVE-2024-5491 and CVE-2024-5492

CVE-2024-5491, identified as a high-severity vulnerability, allows for a denial of service attack. CVE-2024-5492, identified as a  medium-severity vulnerability, allows a  remote unauthenticated attacker to redirect users to arbitrary or potentially malicious web sites.

Please note that NetScaler version 12.1 (NetScaler ADC and NetScaler Gateway) is now end of life and is vulnerable. If you are using version 12.1, we recommend that you upgrade NetScaler to one of the supported versions that addresses the vulnerabilities. 

In both this communication and the related security bulletins for NetScaler ADC and NetScaler Console, please understand that we are sharing few technical details. We are intentional about not disclosing additional information because the details could aid malicious actors in the exploit.

CVE-2024-6387

CVE-2024-6387 is related to the OpenSSH module that is used by many networking products including NetScaler. Discovered externally by Qualys, this vulnerability is a signal handler race condition in OpenSSH’s server (sshd) that allows unauthenticated remote code execution as root on glibc-based Linux systems. NetScaler is addressing this vulnerability as part of the same upgrade patch published below.

Update installation

Permanent fixes are available to download here:

  • NetScaler ADC and NetScaler Gateway
  • NetScaler Console

Learn more and stay up to date

  • Read the security bulletins for NetScaler ADC and NetScaler Console
  • Sign up for security bulletin notifications 
  • Consult the best practices deployment guides for NetScaler and NetScaler Console
  • Contact your NetScaler account representative to enroll in receiving pre-notification of security bulletins

Improved vulnerability management with NetScaler Console 

If you use NetScaler Console (formerly NetScaler Application Delivery Management), this is an ideal time to explore the security features it provides. The Security Advisory and Upgrade Advisory features can help reduce your time to patch, which can be critical in the current threat landscape:

  • Security Advisory protects your infrastructure by highlighting NetScaler ADCs with CVE exposure, scheduling on-demand vulnerability scans, and suggesting remediations.
  • Upgrade Advisory helps you with the lifecycle management of NetScaler ADCs.
  • File Integrity Monitoring ensures the integrity of the files on NetScaler ADCs by determining if changes have been made to your NetScaler build files.

Categories: News Tagged With: NetScaler security updates

Primary Sidebar

Popular posts

NetScaler Next-Gen API

Introducing NetScaler Next-Gen API: The declarative API for application developers 

June 17, 2024

Terraform provider for NetScaler SDX

Introducing the Terraform provider for NetScaler SDX

May 30, 2024

NetScaler now accepting GitHub community contributions

May 2, 2024

Introducing NetScaler CPX Express: A DevOps-friendly, free Kubernetes ingress proxy 

March 28, 2024

NetScaler: The power of one

NetScaler: The power of one

March 5, 2024

New utility converts NetScaler configurations into IaC for greater automation

New utility converts NetScaler configurations into IaC for greater automation

April 3, 2025

NetScaler 13.1-FIPS achieves NDcPP certification from NIAP and the CCCS

NetScaler 13.1-FIPS achieves NDcPP certification

February 27, 2025

CVE-2024-12284: High-severity security update for NetScaler Console

CVE-2024-12284: High-severity security update for NetScaler Console

February 18, 2025

Footer

Product resources

  • NetScaler editions
  • Integrations
  • Documentation
  • GitHub
  • Downloads

Support

  • Ask the community
  • Contact support

Company

  • NetScaler.com
  • About NetScaler
  • Contact us
  • Newsroom
  • Careers

  • Legal
  • Do not sell my personal information
  • Cookie preferences
© 2023 Cloud Software Group, Inc. All rights reserved.