How to fix Object Prototype Pollution Vulnerability on Citrix Netscalers

The latest firmware version of Netscaler 12/12.1/13 is vulnerable to the re-emerged JQuery Object Prototype Pollution Attack which is detailed in CVE-2019-11358.

Problem

The version of JQuery library hosted on the remote web server is prior to 3.4.0. It is, therefore, affected by an object pollution vulnerability

“jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, …) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.”   Source:  MITRE

Solution

Upgrade to JQuery version 3.4.0 or later.

Option 1:    Update Netscaler firmware. There’s a problem with this at the moment as the latest Netscaler ADC firmware (v13.0 36.27.nc) only uses JQuery Library version 3.3.1. According to Citrix Support, the vulnerability fix will come up on the next firmware release on Q3 of 2019.

Option 2:    Manually update JQuery Library on the Netscaler

1. Download the latest JQuery Library from JQuery.com

https://code.jquery.com/jquery-3.4.1.min.js

2. Upload the new JQuery library to the Netscaler path “/var/netscaler/logon/logonpoint/receiver/js/external/” using WinSCP. See the below steps.

  1. Change the script file “index.html” (line 821) and “tmindex.html” (line 823) under /var/netscaler/logon/LogonPoint/ path to point to new JQuery file.

This solution was tested on Netscaler v12/12.1/13.

2 thoughts on “How to fix Object Prototype Pollution Vulnerability on Citrix Netscalers

Leave a Reply

Your email address will not be published. Required fields are marked *