Citrix Security Advisory for CVE-2014-0160, aka the Heartbleed vulnerability.
The Citrix License Server version 11.10 of the License Administration Console and older are not vulnerable to ‘Heartbleed’.
The Citrix Web Service for Licensing replaces Citrix Simple License service in version v11.11.1. It handles calls from the Licensing Snap-in and performs the hands-free allocation and downloading of license files from http://www.citrix.com.
The Citrix License Server v11.11.1, the Citrix License Server VPX v11.12 and the Citrix Usage Collector are vulnerable to CVE-2014-0160. New versions of the License Server v220.127.116.1117 and the License Server VPX v11.12.14001 can be downloaded
from the Citrix website at the following address: https://www.citrix.com/downloads/licensing/license-server/license-server-version-11111-for-windows.html
The Citrix Usage Collector captures usage data and facilitates automated billing for Citrix Service Providers. This communicates with citrix.com
Citrix License Server Console uses the default Web service port 8082 and configured to use HTTP. If License Server administrators have configured this service to use HTTPS complete the following configuration steps:
• On the License Administration Console, select “Administration” > “Server Configuration” > “Secure Web Server Configuration”, uncheck “Enable HTTPS”.
• Uncheck the option, “Redirect non-secure web access to secure web access”, click save, restart the license server.
This will disable the port HTTPS on the License Server.
If the service “Citrix Web Services for Licensing” is present, set the startup to disabled and reboot the machine. Logon to the server as an Administrator and open a command prompt. Type the following commands:
> net stop citrixwebservicesforlicensing
> sc config citrixwebservicesforlicensing start=disabled
If the service “Citrix Simple License Service” is present, set the startup to disabled and reboot the machine. Logon to the server as an Administrator and open a command prompt. Type the following commands:
> net stop citrixsimplelicenseservice
> sc config citrixsimplelicenseservice start=disabled
The Citrix Licensing Administration Snap-in communicates with the Web Services for Licensing component over port 8083. Communication to the License Server over this port should be blocked in the Windows firewall. So the Citrix Studio will be
unable to administer licensing.