XML External Entity (XXE) Processing Vulnerability in Citrix XenMobile Server 10.x and 9.x

Event Xenmobile

Citrix just released today a security patch for XenMobile, see below

Description of Problem

An XML External Entity (XXE) processing vulnerability has been identified in Citrix XenMobile Server that could allow an unauthenticated attacker to retrieve potentially sensitive information from the server.

This vulnerability has been assigned the following CVE number:

  • CVE-2017-9231: XML External Entity (XXE) Processing Vulnerability in Citrix XenMobile Server.

This vulnerability affects the following Citrix XenMobile Server versions:

  • Citrix XenMobile Server 10.x earlier than 10.5 RP3

All versions of Citrix XenMobile App Controller 9.x


 

What Customers Should Do

This vulnerability has been addressed in Citrix XenMobile Server version 10.5 RP3 and later.

Citrix strongly recommends that customers upgrade their Citrix XenMobile Server deployments to this version or later. This upgrade can be obtained from the following location:

https://support.citrix.com/article/CTX224467


What Citrix Is Doing

Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at http://support.citrix.com/.


Obtaining Support on This Issue

If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at https://www.citrix.com/support/open-a-support-case.html.


Reporting Security Vulnerabilities

Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For guidance on how to report security-related issues to Citrix, please see the following document: CTX081743 – Reporting Security Issues to Citrix