Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.4302.4 Citrix Security Advisory for Apache CVE-2021-44228 and CVE-2021-45046 7 January 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Citrix Endpoint Management (Citrix XenMobile Server) Citrix Virtual Apps and Desktops (XenApp & XenDesktop) Publisher: Citrix Operating System: Network Appliance Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2021-45105 CVE-2021-45046 CVE-2021-44832 CVE-2021-44228 Reference: ASB-2021.0244.5 ESB-2021.4255.2 Original Bulletin: https://support.citrix.com/article/CTX335705 Revision History: January 7 2022: Vendor updated advisory with new CVE details December 22 2021: Vendor updated the advisory to include multiple updates December 20 2021: Vendor updated the advisory to include CVE-2021-45105 December 17 2021: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- Citrix Security Advisory for CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 and CVE-2021-44832. Reference: CTX335705 Category : Critical Created : 11 December 2021 Modified : 29 December 2021 Applicable Products o Citrix ADC o Citrix Endpoint Management o Citrix Gateway o Citrix SD-WAN o Citrix Workspace App o Citrix Virtual Apps and Desktops o Citrix Application Delivery Management o ShareFile Description of Problem Citrix is aware of four vulnerabilities affecting Apache Log4j2, three of which may allow an attacker to execute arbitrary code. These three vulnerabilities have been given the following identifiers: o CVE-2021-44228 o CVE-2021-45046 o CVE-2021-44832 The fourth vulnerability may allow an attacker to cause a denial of service. This vulnerability has been given the following identifier: o CVE-2021-45105 Citrix continues to investigate any potential impact on Citrix-managed cloud services. If, as the investigation continues, any Citrix-managed services are found to be affected by this issue, Citrix will take immediate action to remediate the problem. Customers using Citrix-managed cloud services do not need to take any action. In parallel, Citrix continues to investigate the potential impact on customer-managed (on-premises) products. Please find below the present status of these products for CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 and CVE-2021-44832. +------------------------------+----------------------------------------------+ |Product |Status | +------------------------------+----------------------------------------------+ |Citrix ADC (NetScaler ADC) and| | |Citrix Gateway (NetScaler |Not impacted (all platforms) | |Gateway) | | +------------------------------+----------------------------------------------+ |Citrix Application Delivery |Not impacted (all platforms) | |Management (NetScaler MAS) | | +------------------------------+----------------------------------------------+ |Citrix Cloud Connector |Not impacted | +------------------------------+----------------------------------------------+ |Citrix Connector Appliance for|Not impacted | |Cloud Services | | +------------------------------+----------------------------------------------+ |Citrix Content Collaboration | | |(ShareFile Integration) - | | |Citrix Files for Windows, |Not impacted | |Citrix Files for Mac, Citrix | | |Files for Outlook | | +------------------------------+----------------------------------------------+ | |Impacted - Customers are advised to apply the | | |latest CEM rolling patch updates listed below | | |as soon as possible to reduce the risk of | | |exploitation. | | | | | |CVE-2021-44228 and CVE-2021-45046: | | | | | | o XenMobile Server 10.14 RP2: https:// | | | support.citrix.com/article/CTX335763 | | | | | | o XenMobile Server 10.13 RP5: https:// | | | support.citrix.com/article/CTX335753 | | | | | | o XenMobile Server 10.12 RP10: https:// | | | support.citrix.com/article/CTX335785 | | | | | |CVE-2021-45105: | |Citrix Endpoint Management | | |(Citrix XenMobile Server) | o XenMobile Server 10.14 RP3: https:// | | | support.citrix.com/article/CTX335897 | | | | | | o XenMobile Server 10.13 RP6: https:// | | | support.citrix.com/article/CTX335875 | | | | | | o XenMobile Server 10.12 RP11: https:// | | | support.citrix.com/article/CTX335861 | | | | | |Note: Customers who have upgraded their | | |XenMobile Server to the updated versions are | | |recommended not to apply the responder policy | | |mentioned in the blog listed below to the | | |Citrix ADC vserver in front of the XenMobile | | |Server as it may impact the enrollment of | | |Android devices. | | | | | |CVE-2021-44832: Not impacted | +------------------------------+----------------------------------------------+ |Citrix Hypervisor (XenServer) |Not impacted | +------------------------------+----------------------------------------------+ |Citrix License Server |Not impacted | +------------------------------+----------------------------------------------+ |Citrix SD-WAN |Not impacted (all platforms) | +------------------------------+----------------------------------------------+ |Citrix ShareFile StorageZones |Not impacted | |Controller | | +------------------------------+----------------------------------------------+ | |Impacted - Linux VDA (non-LTSR versions only) | | | | | |CVE-2021-44228 and CVE-2021-45046: | | | | | |Customers are advised to apply the latest | | |update as soon as possible to reduce the risk | | |of exploitation | | | | | | o Linux Virtual Delivery Agent 2112: https:/| | | /www.citrix.com/downloads/ | | | citrix-virtual-apps-and-desktops/ | | | components/linux-vda-2112.html | | | | | |Mitigations: | | | | | |Customers who are not able to upgrade | | |immediately can execute the following commands| | |with root privileges on the Linux machine | |Citrix Virtual Apps and |running VDA to protect against CVE-2021-44228 | |Desktops (XenApp & XenDesktop)|and CVE-2021-45046: | | | | | |cd /opt/Citrix/VDA/lib64 | | | | | |zip -q -d log4j-core-*.jar org/apache/logging/| | |log4j/core/lookup/JndiLookup.class | | | | | |CVE-2021-45105: | | | | | |Investigation has shown that Linux VDA is not | | |impacted. Nonetheless, the Linux VDA 2112 has | | |been updated (21.12.0.30, released December | | |20th) to contain Apache log4j version 2.17.0. | | | | | |Not Impacted - Linux VDA LTSR all versions | | | | | |Not Impacted - All other CVAD components | | | | | |CVE-2021-44832: Not impacted | +------------------------------+----------------------------------------------+ |Citrix Workspace App |Not impacted (all platforms) | +------------------------------+----------------------------------------------+ What Customers Should Do Affected customers are strongly recommended to immediately apply the latest updates to reduce the risk of exploitation. All customers are recommended to monitor this article for the latest updates. Customers may also subscribe to receive notifications at https:// support.citrix.com/user/alerts Citrix also strongly recommends that customers consider security guidance from vendors of other products that they may have deployed. As an interim measure, Citrix ADC Standard, Advanced or Premium edition customers may reduce the risk of exploitation of these vulnerabilities on servers running behind a Citrix ADC by deploying updated WAF signatures or by binding responder policies to the appropriate bind point (vserver or global). Please see our blog for additional information. Citrix will continue to monitor this dynamic situation and update the blog as new measures become available. What Citrix is Doing Citrix is notifying customers and channel partners about this potential security issue. This article is also available from the Citrix Knowledge Center at https://support.citrix.com/ . Obtaining Support on This Issue If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at https://www.citrix.com/support/open-a-support-case/ . Reporting Security Vulnerabilities to Citrix Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For details on our vulnerability response process and guidance on how to report security-related issues to Citrix, please see the following webpage: https://www.citrix.com/about/ trust-center/vulnerability-process.html . Disclaimer This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document is at your own risk. Citrix reserves the right to change or update this document at any time. Changelog 2021-12-11 Initial Publication 2021-12-11 Update to Citrix ADC (NetScaler ADC) and Citrix Gateway (NetScaler Gateway) Updates to Citrix ADC (NetScaler ADC) and Citrix Gateway (NetScaler Gateway), Citrix Application Delivery Management (NetScaler MAS), 2021-12-12 Citrix License Server, Citrix ShareFile Storage Zones Controller, Citrix Virtual Apps and Desktops (XenApp & XenDesktop), and Citrix Workspace App Updates to Citrix ADC (NetScaler ADC) and Citrix Gateway (NetScaler Gateway), Citrix Cloud Connector, Citrix Connector Appliance for 2021-12-13 Cloud Services, Citrix License Server, Citrix SD-WAN, Citrix Virtual Apps and Desktops (XenApp & XenDesktop) 2021-12-14 Added information about configurations that are designed to mitigate the risk of exploit of CVE-2021-44228. 2021-12-16 Updates to Citrix Endpoint Management On-premises (Citrix XenMobile Server) 2021-12-16 Updates to Citrix Virtual Apps and Desktops (XenApp & XenDesktop) and Citrix Endpoint Management On-premises (Citrix XenMobile Server) 2021-12-16 Updates to Citrix Virtual Apps and Desktops (XenApp & XenDesktop) 2021-12-17 Updates to Citrix Content Collaboration (ShareFile Integration) 2021-12-18 Minor update to text to make it evident that the Security Bulletin addresses two CVEs - CVE-2021-44228 and CVE-2021-45046 2021-12-18 Updates to include CVE-2021-45105 and clarify text 2021-12-19 Update to the blog link 2021-12-20 Updates to Citrix Endpoint Management On-premises (Citrix XenMobile Server) and Citrix Virtual Apps and Desktops (XenApp & XenDesktop) 2021-12-22 Update to Citrix Endpoint Management On-premises (Citrix XenMobile Server) 2021-12-28 Update to include CVE-2021-44832 2021-12-29 Updates to Citrix Endpoint Management On-premises (Citrix XenMobile Server) and Citrix Virtual Apps and Desktops (XenApp & XenDesktop) - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYde8EeNLKJtyKPYoAQhmIA/+Lren7nO34vBJIFtDYjdlmz+pUf/HcYzk 3VLV48ZksmAIyoAnFeSZVWjiVyKJvbRtFae02pOygg7kNZOn/OmPmZFyTkVVpydY cK92niSJfnoeY18GmMzo6W140fVeMqZuDfY7vPSYdNDRm3WxLB2lAzLkz8i7Qxo0 sw+fRdr08OEuFoe21pG9ACLji9t4tzHI2twzCNLwaasWPeqkUdcIvDYJYL5/B91u yGVhNBnuqw9JiPgCtKUPVlndP15tKLs4L8gb9zFJbZLxKxUEMPWKbQQom1TgX0dH knsUCyaayL9b0j1sPyi/cNNUMv05VZzPlMPLkGJXGgwZFwunbk7GFlEkuUf5n1X8 IJGLQqIr/UIp81+CE4+na0j24bbkuoOmrLSkpla0CPCYh9Uev63XdhvhnBpsKnIf dyOh7enwu3PfeESaDZwTtPp5DTNw+YlC/ePtf9vf0rn/qu6Nme2Sjy0abcFNDlgI pzBun/VZaXdk2qnN3TpVvO725TC6oyDXTSQxk2AZ/vDCWfLAykPRdlpbqfcF9bi2 Uajh5fKlhp4nD9qGOJilH54G64vw6cR5lo2hYrOEgZPuJFeaV3r/EGdxWyracvoe whVFavH5lWo+BrnB0nprpLxq8drsbrj96u/bYHXDQ8FOXk/OlxNlWJ9FmMqgfunN wrEbHlTnYxU= =ICMc -----END PGP SIGNATURE-----