Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.4302.4
Citrix Security Advisory for Apache CVE-2021-44228 and CVE-2021-45046
7 January 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Citrix Endpoint Management (Citrix XenMobile Server)
Citrix Virtual Apps and Desktops (XenApp & XenDesktop)
Publisher: Citrix
Operating System: Network Appliance
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2021-45105 CVE-2021-45046 CVE-2021-44832
CVE-2021-44228
Reference: ASB-2021.0244.5
ESB-2021.4255.2
Original Bulletin:
https://support.citrix.com/article/CTX335705
Revision History: January 7 2022: Vendor updated advisory with new CVE details
December 22 2021: Vendor updated the advisory to include multiple updates
December 20 2021: Vendor updated the advisory to include CVE-2021-45105
December 17 2021: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
Citrix Security Advisory for CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 and CVE-2021-44832.
Reference: CTX335705
Category : Critical
Created : 11 December 2021
Modified : 29 December 2021
Applicable Products
o Citrix ADC
o Citrix Endpoint Management
o Citrix Gateway
o Citrix SD-WAN
o Citrix Workspace App
o Citrix Virtual Apps and Desktops
o Citrix Application Delivery Management
o ShareFile
Description of Problem
Citrix is aware of four vulnerabilities affecting Apache Log4j2, three of which
may allow an attacker to execute arbitrary code. These three vulnerabilities
have been given the following identifiers:
o CVE-2021-44228
o CVE-2021-45046
o CVE-2021-44832
The fourth vulnerability may allow an attacker to cause a denial of service.
This vulnerability has been given the following identifier:
o CVE-2021-45105
Citrix continues to investigate any potential impact on Citrix-managed cloud
services. If, as the investigation continues, any Citrix-managed services are
found to be affected by this issue, Citrix will take immediate action to
remediate the problem. Customers using Citrix-managed cloud services do not
need to take any action.
In parallel, Citrix continues to investigate the potential impact on
customer-managed (on-premises) products. Please find below the present status
of these products for CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 and
CVE-2021-44832.
+------------------------------+----------------------------------------------+
|Product |Status |
+------------------------------+----------------------------------------------+
|Citrix ADC (NetScaler ADC) and| |
|Citrix Gateway (NetScaler |Not impacted (all platforms) |
|Gateway) | |
+------------------------------+----------------------------------------------+
|Citrix Application Delivery |Not impacted (all platforms) |
|Management (NetScaler MAS) | |
+------------------------------+----------------------------------------------+
|Citrix Cloud Connector |Not impacted |
+------------------------------+----------------------------------------------+
|Citrix Connector Appliance for|Not impacted |
|Cloud Services | |
+------------------------------+----------------------------------------------+
|Citrix Content Collaboration | |
|(ShareFile Integration) - | |
|Citrix Files for Windows, |Not impacted |
|Citrix Files for Mac, Citrix | |
|Files for Outlook | |
+------------------------------+----------------------------------------------+
| |Impacted - Customers are advised to apply the |
| |latest CEM rolling patch updates listed below |
| |as soon as possible to reduce the risk of |
| |exploitation. |
| | |
| |CVE-2021-44228 and CVE-2021-45046: |
| | |
| | o XenMobile Server 10.14 RP2: https:// |
| | support.citrix.com/article/CTX335763 |
| | |
| | o XenMobile Server 10.13 RP5: https:// |
| | support.citrix.com/article/CTX335753 |
| | |
| | o XenMobile Server 10.12 RP10: https:// |
| | support.citrix.com/article/CTX335785 |
| | |
| |CVE-2021-45105: |
|Citrix Endpoint Management | |
|(Citrix XenMobile Server) | o XenMobile Server 10.14 RP3: https:// |
| | support.citrix.com/article/CTX335897 |
| | |
| | o XenMobile Server 10.13 RP6: https:// |
| | support.citrix.com/article/CTX335875 |
| | |
| | o XenMobile Server 10.12 RP11: https:// |
| | support.citrix.com/article/CTX335861 |
| | |
| |Note: Customers who have upgraded their |
| |XenMobile Server to the updated versions are |
| |recommended not to apply the responder policy |
| |mentioned in the blog listed below to the |
| |Citrix ADC vserver in front of the XenMobile |
| |Server as it may impact the enrollment of |
| |Android devices. |
| | |
| |CVE-2021-44832: Not impacted |
+------------------------------+----------------------------------------------+
|Citrix Hypervisor (XenServer) |Not impacted |
+------------------------------+----------------------------------------------+
|Citrix License Server |Not impacted |
+------------------------------+----------------------------------------------+
|Citrix SD-WAN |Not impacted (all platforms) |
+------------------------------+----------------------------------------------+
|Citrix ShareFile StorageZones |Not impacted |
|Controller | |
+------------------------------+----------------------------------------------+
| |Impacted - Linux VDA (non-LTSR versions only) |
| | |
| |CVE-2021-44228 and CVE-2021-45046: |
| | |
| |Customers are advised to apply the latest |
| |update as soon as possible to reduce the risk |
| |of exploitation |
| | |
| | o Linux Virtual Delivery Agent 2112: https:/|
| | /www.citrix.com/downloads/ |
| | citrix-virtual-apps-and-desktops/ |
| | components/linux-vda-2112.html |
| | |
| |Mitigations: |
| | |
| |Customers who are not able to upgrade |
| |immediately can execute the following commands|
| |with root privileges on the Linux machine |
|Citrix Virtual Apps and |running VDA to protect against CVE-2021-44228 |
|Desktops (XenApp & XenDesktop)|and CVE-2021-45046: |
| | |
| |cd /opt/Citrix/VDA/lib64 |
| | |
| |zip -q -d log4j-core-*.jar org/apache/logging/|
| |log4j/core/lookup/JndiLookup.class |
| | |
| |CVE-2021-45105: |
| | |
| |Investigation has shown that Linux VDA is not |
| |impacted. Nonetheless, the Linux VDA 2112 has |
| |been updated (21.12.0.30, released December |
| |20th) to contain Apache log4j version 2.17.0. |
| | |
| |Not Impacted - Linux VDA LTSR all versions |
| | |
| |Not Impacted - All other CVAD components |
| | |
| |CVE-2021-44832: Not impacted |
+------------------------------+----------------------------------------------+
|Citrix Workspace App |Not impacted (all platforms) |
+------------------------------+----------------------------------------------+
What Customers Should Do
Affected customers are strongly recommended to immediately apply the latest
updates to reduce the risk of exploitation.
All customers are recommended to monitor this article for the latest updates.
Customers may also subscribe to receive notifications at https://
support.citrix.com/user/alerts
Citrix also strongly recommends that customers consider security guidance from
vendors of other products that they may have deployed. As an interim measure,
Citrix ADC Standard, Advanced or Premium edition customers may reduce the risk
of exploitation of these vulnerabilities on servers running behind a Citrix ADC
by deploying updated WAF signatures or by binding responder policies to the
appropriate bind point (vserver or global). Please see our blog for additional
information. Citrix will continue to monitor this dynamic situation and update
the blog as new measures become available.
What Citrix is Doing
Citrix is notifying customers and channel partners about this potential
security issue. This article is also available from the Citrix Knowledge Center
at https://support.citrix.com/ .
Obtaining Support on This Issue
If you require technical assistance with this issue, please contact Citrix
Technical Support. Contact details for Citrix Technical Support are available
at https://www.citrix.com/support/open-a-support-case/ .
Reporting Security Vulnerabilities to Citrix
Citrix welcomes input regarding the security of its products and considers any
and all potential vulnerabilities seriously. For details on our vulnerability
response process and guidance on how to report security-related issues to
Citrix, please see the following webpage: https://www.citrix.com/about/
trust-center/vulnerability-process.html .
Disclaimer
This document is provided on an "as is" basis and does not imply any kind of
guarantee or warranty, including the warranties of merchantability or fitness
for a particular use. Your use of the information on the document is at your
own risk. Citrix reserves the right to change or update this document at any
time.
Changelog
2021-12-11 Initial Publication
2021-12-11 Update to Citrix ADC (NetScaler ADC) and Citrix Gateway (NetScaler
Gateway)
Updates to Citrix ADC (NetScaler ADC) and Citrix Gateway (NetScaler
Gateway), Citrix Application Delivery Management (NetScaler MAS),
2021-12-12 Citrix License Server, Citrix ShareFile Storage Zones Controller,
Citrix Virtual Apps and Desktops (XenApp & XenDesktop), and Citrix
Workspace App
Updates to Citrix ADC (NetScaler ADC) and Citrix Gateway (NetScaler
Gateway), Citrix Cloud Connector, Citrix Connector Appliance for
2021-12-13 Cloud Services, Citrix License Server, Citrix SD-WAN, Citrix Virtual
Apps and Desktops (XenApp & XenDesktop)
2021-12-14 Added information about configurations that are designed to mitigate
the risk of exploit of CVE-2021-44228.
2021-12-16 Updates to Citrix Endpoint Management On-premises (Citrix XenMobile
Server)
2021-12-16 Updates to Citrix Virtual Apps and Desktops (XenApp & XenDesktop)
and Citrix Endpoint Management On-premises (Citrix XenMobile Server)
2021-12-16 Updates to Citrix Virtual Apps and Desktops (XenApp & XenDesktop)
2021-12-17 Updates to Citrix Content Collaboration (ShareFile Integration)
2021-12-18 Minor update to text to make it evident that the Security Bulletin
addresses two CVEs - CVE-2021-44228 and CVE-2021-45046
2021-12-18 Updates to include CVE-2021-45105 and clarify text
2021-12-19 Update to the blog link
2021-12-20 Updates to Citrix Endpoint Management On-premises (Citrix XenMobile
Server) and Citrix Virtual Apps and Desktops (XenApp & XenDesktop)
2021-12-22 Update to Citrix Endpoint Management On-premises (Citrix XenMobile
Server)
2021-12-28 Update to include CVE-2021-44832
2021-12-29 Updates to Citrix Endpoint Management On-premises (Citrix XenMobile
Server) and Citrix Virtual Apps and Desktops (XenApp & XenDesktop)
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYde8EeNLKJtyKPYoAQhmIA/+Lren7nO34vBJIFtDYjdlmz+pUf/HcYzk
3VLV48ZksmAIyoAnFeSZVWjiVyKJvbRtFae02pOygg7kNZOn/OmPmZFyTkVVpydY
cK92niSJfnoeY18GmMzo6W140fVeMqZuDfY7vPSYdNDRm3WxLB2lAzLkz8i7Qxo0
sw+fRdr08OEuFoe21pG9ACLji9t4tzHI2twzCNLwaasWPeqkUdcIvDYJYL5/B91u
yGVhNBnuqw9JiPgCtKUPVlndP15tKLs4L8gb9zFJbZLxKxUEMPWKbQQom1TgX0dH
knsUCyaayL9b0j1sPyi/cNNUMv05VZzPlMPLkGJXGgwZFwunbk7GFlEkuUf5n1X8
IJGLQqIr/UIp81+CE4+na0j24bbkuoOmrLSkpla0CPCYh9Uev63XdhvhnBpsKnIf
dyOh7enwu3PfeESaDZwTtPp5DTNw+YlC/ePtf9vf0rn/qu6Nme2Sjy0abcFNDlgI
pzBun/VZaXdk2qnN3TpVvO725TC6oyDXTSQxk2AZ/vDCWfLAykPRdlpbqfcF9bi2
Uajh5fKlhp4nD9qGOJilH54G64vw6cR5lo2hYrOEgZPuJFeaV3r/EGdxWyracvoe
whVFavH5lWo+BrnB0nprpLxq8drsbrj96u/bYHXDQ8FOXk/OlxNlWJ9FmMqgfunN
wrEbHlTnYxU=
=ICMc
-----END PGP SIGNATURE-----