Citrix sends out security bulletin emails, and *every time* the support article gets hugged to death
They used to put the affected versions in the email, but that stopped a few months ago. Now it's just a vague "product is affected, click the link to learn more". Every. Time. the support part of their site gets hugged to death as if the uptick in traffic to it is completely unexpected.
So now I have Schrodinger's vulnerability until whatever potato-class servers they have their support bulletins running on frees up enough slots to render a frigging static HTML page.
It's almost as bad as news teasers that are like "Is something in your house going to kill you in the next 30 seconds? Find out more at 11!"
I mean, it must be very difficult to checks notes host a static document in a scalable way.
But still, if only they had an asynchronous, distributed way of publishing this information. Like old school letters, only digital. That would help them decrease the load on their infrastructure...
My thoughts/words, your mouth (err, fingers)
TIL: Citrix is still in business.
(You can tell I don't work in IT)
They've gone so far downhill it's not even funny. Unfortunately, they're still the best option for us to offer remote apps and desktops to our org.
Yeah, same boat. It's like the uncle that had a head injury and can hardly function compared to some of the earlier products they released
I also just learned this and I work in tech.
Who in IT actually uses them?
Can't you just search for the CVE online?
I mean, yeah, to get the general details of the vuln, but the support bulletin has the affected firmware versions. Ours may or may not be affected.
This appears to have affected versions (everything up to version 20230928)
Thanks, but those aren't for the Netscaler appliance.
Ah, I see
Good resource, though. With these, they're appliances and you don't update packages individually: you just update the whole firmware.
Our org's firmware update cadence is quarterly unless there's a vulnerability that needs to be addressed. So that's what I'm trying to determine so I can get the maintenance window scheduled. We just updated everything last month.
I could never get useful details out of any of the CVE sites. Really annoying, but maybe I'm dumb
Could you just check the official CVE database?
Yeah, even for this one, mite and the nvd are completely useless (denying it exists).
mitre denies it exists links to NVD which is also basically an HTTP 404 error
You are right, though - When I look at CISAs notes, they direct to the right source meaningfully. I'm sure I've found some that are total stonewalls in the past, but no idea of that was MS, chrome or just a particular vulnerability... It's happened enough I'd given up, but maybe I should retry next time
If only they knew a multinational cloud provider that could help them handle the load caused by them notifying their customers…
Same for my electric bill. They used to attach the PDF to the email, now is "login to download" - and for 2-3 days from the bill the server is completely overloaded
Hate this behavior too much
Seems to me that they're giving you ample incentive to migrate to another supplier.