Welcome to my website!

Thanks for dropping by! This site is a long overdue project that finally came to materialize (whew) and I’m planning to use this space to share my endeavors in Security, Networking, Virtualization, Cloud and many more. I’ll be uploading How-To Guides, tweaks, and solutions to problems I was able to resolve, so always keep checking for updates. It’s a way for me to give back to the community.

-JM

About Me

 

My name is Jess martin and I’m the Manager of Systems Administration at Merit H.I.S based in Toronto and focuses on security, networking, storage, virtualization, and cloud technologies from Citrix , Microsoft, & VMware. I’m also a private IT contractor which serves Small and Medium scale businesses (SMB) within Greater Toronto Area.

In my 2 decades of professional endeavors I have experiences working with small and large scale projects such as airports, financial institutions, insurance, and travel companies and earned several certifications from different technology vendors.

My certifications.

CompTIA A+, Network+, CCNA (2010), MCSE/MCSA, VMware VCP5/6

               

Disclamer:

The content and opinions expressed in articles and posts are my own and are by no means associated with my employer.

How to fix Object Prototype Pollution Vulnerability on Citrix Netscalers

The latest firmware version of Netscaler 12/12.1/13 is vulnerable to the re-emerged JQuery Object Prototype Pollution Attack which is detailed in CVE-2019-11358.

Problem

The version of JQuery library hosted on the remote web server is prior to 3.4.0. It is, therefore, affected by an object pollution vulnerability

“jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, …) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.”   Source:  MITRE

Solution

Upgrade to JQuery version 3.4.0 or later.

Option 1:    Update Netscaler firmware. There’s a problem with this at the moment as the latest Netscaler ADC firmware (v13.0 36.27.nc) only uses JQuery Library version 3.3.1. According to Citrix Support, the vulnerability fix will come up on the next firmware release on Q3 of 2019.

Option 2:    Manually update JQuery Library on the Netscaler

1. Download the latest JQuery Library from JQuery.com

https://code.jquery.com/jquery-3.4.1.min.js

2. Upload the new JQuery library to the Netscaler path “/var/netscaler/logon/logonpoint/receiver/js/external/” using WinSCP. See the below steps.

  1. Change the script file “index.html” (line 821) and “tmindex.html” (line 823) under /var/netscaler/logon/LogonPoint/ path to point to new JQuery file.

This solution was tested on Netscaler v12/12.1/13.