10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.975 High
EPSS
Percentile
100.0%
A vulnerability has been recently disclosed in the glibc gethostbyname() function. This issue could potentially allow an attacker to inject code into a process that calls the vulnerable function. The issue is known as the GHOST vulnerability and has been assigned the following CVE identifier:
CVE-2015-0235: _ <https://vulners.com/cve/CVE-2015-0235>_
The vulnerable function is provided by some Linux based operating systems. Customers managing Linux platforms on which Citrix components are deployed are advised to apply any appropriate operating system updates as soon as possible.
A number of Citrix products incorporate Linux components. The following sections provide guidance on the impact and mitigation steps for these products. Citrix products that do not include or execute on a Linux based platform are not impacted by this vulnerability.
Citrix NetScaler MPX and VPX, and all Windows based components of XenDesktop and XenApp, do not include or use the vulnerable function and are therefore not impacted by this issue.
Citrix is in the process of analyzing the potential impact of this issue on currently supported products that include the vulnerable component. The following section of this advisory provides more information on each product.
Citrix XenServer does include a vulnerable version of glibc but at present there is no known route by which a guest virtual machine would be able to invoke the vulnerable functionality through the hypervisor interface. As a defence in depth measure, Citrix has released a hotfix that updates the version of glibc present in XenServer. This is available at the following address: <https://support.citrix.com/article/CTX200437>
The NetScaler SDX service VM (SVM) and NetScaler virtual appliances (VPX) running on SDX appliance do not contain the vulnerable component and, as such, are not directly vulnerable to this issue. NetScaler SDX uses a version of XenServer which includes the vulnerable glibc component. At present there is no known route by which the issue could be exploited on the SDX platform.
Citrix XenMobile MDM functionality (both on-premise and cloud installations) is not impacted by this vulnerability. Citrix XenMobile Server 10.x is not impacted by this vulnerability.
The following versions of XenMobile AppController are impacted by this vulnerability:
To address this vulnerability, customers should apply Citrix XenMobile App Controller 9.0 Rolling Patch 7 or later. This update is available at the following address: <https://support.citrix.com/article/CTX207571>
Currently supported versions of the Citrix License Server VPX are impacted by this vulnerability.
To address this issue, Citrix recommends that customers log in to the License Server console and update the VPX using the following command from the command line:
yum update
Following the completion of the update, the server should be rebooted to ensure that the updated packages are used.
The following versions of Citrix CloudPlatform are impacted by this vulnerability:
Citrix CloudPlatform 4.5 does include a vulnerable version of glibc but we do not believe that a valid route to exploit exists.
To address this vulnerability, customers should update their system and router virtual machine templates to the latest version. More information on how to obtain and upgrade these templates is available in the following article: <https://support.citrix.com/article/CTX200024>
Analysis of the impact to XenClient Enterprise is in progress. This section will be updated as soon as additional information is available
ByteMobile Traffic Director is not affected by this vulnerability.
ByteMobile Video Cache does make use of a vulnerable version of glibc. At present there is no known route by which the issue could be exploited. Citrix is currently in the process of releasing product updates to remove the underlying issue. This section will be updated when more information becomes available.
ByteMobile Adaptive Traffic Manager does make use of a vulnerable version of glibc. At present there is no known route by which the issue could be exploited. Citrix is currently in the process of releasing product updates to remove the underlying issue. This section will be updated when more information becomes available.
The following versions of Citrix VDI-In-A-Box (VIAB) are impacted by this vulnerability:
Citrix VDI-In-A-Box 5.4.x: A new version of VIAB, 5.4.6, has been released to address this vulnerability. This can be found at the following address: <https://www.citrix.com/downloads/vdi-in-a-box/product-software/vdi-in-a-box-54.html>
Citrix VDI-In-A-Box 5.3.x: A new version of VIAB, 5.3.10, has been released to address this vulnerability. This can be found at the following address: <https://www.citrix.com/downloads/vdi-in-a-box/product-software/vdi-in-a-box-53.html>
Citrix Command Center is impacted by this vulnerability. A new version of the product, 5.2 Build 44.8, has been released to address this vulnerability. This can be found at the following address:
<https://www.citrix.com/downloads/command-center.html>
The above list will be updated as the analysis into this issue progresses.
If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at _ <https://www.citrix.com/support/open-a-support-case.html>_.
Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For guidance on how to report security-related issues to Citrix, please see the following document: CTX081743 – Reporting Security Issues to Citrix
Date | Change |
---|---|
January 28th 2015 | Initial bulletin publishing |
February 3rd 2015 | Update to XenMobile section |
February 18th 2015 | Update to XenServer section |
February 23rd 2015 | Addition of ByteMobile sections |
March 4th 2015 | Update to CloudPlatform section |
March 18th 2015 | Addition of VDI-In-A-Box section |
April 28th 2015 | Update to Licensing section |
May 11th 2015 | Update to NetScaler SDX section |
June 18th 2015 | |
Update to VDI-In-A-Box section | |
October 13th 2015 | Addition of Command Center section |
May 5th 2016 | Update to XenMobile section |
May 9th 2016 | Clarify XenMobile section |