CVE-2015-7547 - Citrix Security Advisory for glibc Vulnerability

Overview

A vulnerability has been recently disclosed in the glibc getaddrinfo() function. This issue could potentially allow an attacker to inject code into a process that calls the vulnerable function. The issue has been assigned the following CVE identifier:

CVE-2015-7547: _ <https://vulners.com/cve/CVE-2015-7547&gt;_

The vulnerable function is provided by some Linux based operating systems. Customers managing Linux platforms on which Citrix components are deployed are advised to apply any appropriate operating system updates as soon as possible.

The following sections provide guidance on the impact and mitigation steps for Linux-based Citrix products. Citrix products that do not include or execute on a Linux based platform are not impacted by this vulnerability.

Windows based components of XenDesktop and XenApp do not include, or use, the vulnerable function and are therefore not impacted by this issue.

What Citrix is Doing

Citrix is in the process of analyzing the potential impact of this issue on currently supported products that use or include the vulnerable component. The following section of this advisory provides more information on each product.

Product Details

Citrix NetScaler

NetScaler VPX, NetScaler MPX, NetScaler SDX, NetScaler Insight Center and Command Center Appliance are not affected by this vulnerability.

The NetScaler Gateway Client for Linux may be impacted by this operating system vulnerability. Citrix recommends that customers apply any applicable patches to the underlying Linux operating system.

Citrix XenServer

Currently supported versions of Citrix XenServer do not contain a vulnerable version of glibc and, as such, are not affected by this vulnerability.

Citrix XenMobile

Citrix XenMobile MDM 9.x for Windows is not impacted by this vulnerability. Worx Apps and MDX are not impacted by this vulnerability.

The following XenMobile product versions are impacted by this vulnerability:

• XenMobile Server 10.x: XenMobile Server 10.3 Rolling Patch 1 and earlier
• XenMobile App Controller 9.x: XenMobile App Controller 9.0 Rolling Patch 6 and earlier

To address this vulnerability customers should apply the following updates:

• XenMobile Server 10.3 Rolling Patch 2 - <https://support.citrix.com/article/CTX209294&gt;
• XenMobile App Controller 9.0 Rolling Patch 7 - <https://support.citrix.com/article/CTX207571&gt;

XenMobile Cloud customer deployments have been patched by the Citrix XenMobile Cloud Operations team. For more details contact technical support.

Citrix Receiver for Linux

The Receiver for Linux may be impacted by this operating system vulnerability. Citrix recommends that customers apply any applicable patches to the underlying Linux operating system.

Citrix Linux Virtual Desktop

Citrix Linux Virtual Desktop deployments may be impacted by this operating system vulnerability. Citrix recommends that customers apply any applicable patches to the underlying Linux operating system.

Citrix Licensing

The License Server VPX appliance does contain a vulnerable version of glibc. Citrix has released a new version of the License Server VPX, 11.13.1.2, that addresses this issue. This new version can be downloaded from the following location on the Citrix Website:

<https://www.citrix.com/downloads/licensing.html&gt;

Customers using older versions of the License Server VPX that are not able to upgrade can, as an interim measure, log in to the License Server console and update the VPX using the following command from the command line:

yum update

Following the completion of the update, the server should be rebooted to ensure that the updated packages are used.

Citrix XenDesktop Volume Worker Template

Customers deploying Virtual Desktop Agents that are hosted on Citrix CloudPlatform are advised to verify that the volume worker template is using a version of glibc that is not vulnerable to this issue. Setup instructions for the volume worker template on CloudPlatform can be found in the following document: <http://docs.citrix.com/content/dam/docs/en-us/cloudplatform/cloudplatform-43/downloads/xa-xd-cloudplatform_2014.pdf&gt;.

Amazon Web Services based deployments use the Linux AMI template. Guidance from Amazon about this issue can be found at the following location: <https://aws.amazon.com/security/security-bulletins/cve-2015-7547-advisory/&gt;

Citrix VDI in a Box

Citrix VDI-In-A-Box (VIAB) version 5.4.x is impacted by this vulnerability. A new version of VIAB, 5.4.8, has been released to address this vulnerability. This can be found at the following address:

<https://www.citrix.com/downloads/vdi-in-a-box.html&gt;

Citrix CloudBridge

Citrix CloudBridge 7.x does not contain a vulnerable version of glibc and, as such, is not affected by this vulnerability. Analysis of the impact of this issue on Citrix CloudBridge 8.x is in progress. This section will be updated as soon as additional information is available.

Citrix ByteMobile

Analysis of the impact of this issue on Citrix ByteMobile is in progress. This section will be updated as soon as additional information is available.

The above list will be updated as the analysis into this issue progresses.

Obtaining Support on This Issue

If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at _ <https://www.citrix.com/support/open-a-support-case.html&gt;_.

Reporting Security Vulnerabilities

Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For guidance on how to report security-related issues to Citrix, please see the following document: CTX081743 – Reporting Security Issues to Citrix

Changelog

Date	Change
February 19th 2016	Initial bulletin publishing
February 19th 2016	Update to NetScaler and XenMobile sections, addition of CloudBridge and ByteMobile sections
February 22nd 2016	Update to NetScaler section for Command Center Appliance
February 23rd 2016	Update to NetScaler section for Netscaler Gateway Client on Linux
March 14th 2016	Update to Licensing section
May 5th 2016	Update to XenMobile section
May 9th 2016	Clarify XenMobile section
May 16th 2016	Update to XenDesktop Volume Worker Template section
November 17th 2016	Update to VDI in a Box section