A vulnerability has been identified in the Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway Packet Engine that could allow an attacker to exploit the appliance to decrypt TLS traffic.

This vulnerability has been assigned the following CVE:

CVE-2017-17382: TLS Padding Oracle Vulnerability in Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway

This vulnerability affects the following versions of Citrix NetScaler ADC and NetScaler Gateway:

Citrix NetScaler ADC and NetScaler Gateway version 12.0 earlier than build 53.22

Citrix NetScaler ADC and NetScaler Gateway version 11.1 earlier than build 56.19

Citrix NetScaler ADC and NetScaler Gateway version 11.0 earlier than build 71.22

Citrix NetScaler ADC and NetScaler Gateway version 10.5 earlier than build 67.13

This vulnerability does not allow an attacker to obtain the TLS private key.

In deployments where TLS private keys are shared between different devices, any of these vulnerable appliances could potentially be used to decrypt TLS traffic handled by the other devices. As a consequence, all vulnerable devices must be patched to address this issue.