Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP Edition appliance Security Update

2021-11-09T10:23:09
ID CTX330728
Type citrix
Reporter Citrix
Modified 2021-11-11T00:30:58

Description

<section class="article-content" data-swapid="ArticleContent"> <h2 class="section-heading" data-swapid="SectionHeading">Description of Problem</h2> <div class="content-block" data-swapid="ContentBlock"><p>Vulnerabilities have been discovered in Citrix ADC (formerly known as NetScaler ADC), Citrix Gateway (formerly known as NetScaler Gateway), and Citrix SD-WAN WANOP Edition models 4000-WO, 4100-WO, 5000-WO, and 5100-WO. These vulnerabilities, if exploited, could result in the following security issues: </p> <table border="1"><tbody><tr><td colspan="1" rowspan="1"> <p>CVE-ID  </p> </td><td colspan="1" rowspan="1"> <p>Description  </p> </td><td colspan="1" rowspan="1"> <p>CWE  </p> </td><td colspan="1" rowspan="1"> <p>Affected Products  </p> </td><td colspan="1" rowspan="1"> <p>Pre-conditions </p> </td><td colspan="1" rowspan="1"> <p>Criticality </p> </td></tr><tr><td colspan="1" rowspan="1"> <p>CVE-2021-22955 </p> </td><td colspan="1" rowspan="1"> <p>Unauthenticated denial of service  </p> </td><td colspan="1" rowspan="1"> <p>CWE-400: Uncontrolled Resource Consumption </p> </td><td colspan="1" rowspan="1"> <p>Citrix ADC, Citrix Gateway </p> </td><td colspan="1" rowspan="1"> <p>Appliance must be configured as a VPN (Gateway) or AAA virtual server </p> </td><td colspan="1" rowspan="1"> <p>Critical </p> </td></tr><tr><td colspan="1" rowspan="1"> <p>CVE-2021-22956 </p> </td><td colspan="1" rowspan="1"> <p>Temporary disruption of the Management GUI, Nitro API and RPC communication </p> </td><td colspan="1" rowspan="1"> <p>CWE-400: Uncontrolled Resource Consumption </p> </td><td colspan="1" rowspan="1"> <p>Citrix ADC, Citrix Gateway, Citrix SD-WAN WANOP Edition </p> </td><td colspan="1" rowspan="1"> <p>Access to NSIP or SNIP with management interface access </p> </td><td colspan="1" rowspan="1"> <p>Low </p> </td></tr></tbody></table> <p>CVE-2021-22955: The following supported versions of Citrix ADC and Citrix Gateway are affected by this vulnerability: </p> <ul><li> <p>Citrix ADC and Citrix Gateway 13.0 before 13.0-83.27 </p> </li></ul> <ul><li> <p>Citrix ADC and Citrix Gateway 12.1 before 12.1-63.22 </p> </li><li> <p>Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.23 </p> </li><li> <p>Citrix ADC 12.1-FIPS before 12.1-55.257 </p> </li></ul> <p>CVE-2021-22956: All supported versions of Citrix ADC, Citrix Gateway, and Citrix SD-WAN WANOP Edition are affected by this vulnerability until the appliance has been configured according to the <a href="https://support.citrix.com/article/CTX331588" target="_blank">Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP Edition - Management Module Configuration Reference Guide. </a></p> <p>The following supported versions of Citrix ADC, Citrix Gateway, and Citrix SD-WAN WANOP Edition support this configuration change: </p> <ul><li> <p>Citrix ADC and Citrix Gateway 13.1-4.43 and later releases </p> </li><li> <p>Citrix ADC and Citrix Gateway 13.0-83.27 and later releases of 13.0 </p> </li><li> <p>Citrix ADC and Citrix Gateway 12.1-63.22 and later releases of 12.1 </p> </li><li> <p>Citrix ADC and NetScaler Gateway 11.1-65.23 and later releases of 11.1 </p> </li><li> <p>Citrix ADC 12.1-FIPS 12.1-55.257 and later releases of 12.1-FIPS  </p> </li><li> <p>Citrix SD-WAN WANOP Edition 11.4.2 and later releases of 11.4 </p> </li><li> <p>Citrix SD-WAN WANOP Edition 10.2.9c and later releases of 10.2 </p> </li></ul> <p>Please note that the WANOP feature of SD-WAN Premium Edition is not impacted. </p> <p>This bulletin only applies to customer-managed Citrix ADC, Citrix Gateway and Citrix SD-WAN WANOP Edition appliances. Customers using Citrix-managed cloud services do not need to take any action. </p></div> </section>