Citrix Security Advisory for CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 and CVE-2021-44832.

Citrix is aware offourvulnerabilitiesaffectingApache Log4j2, threeof whichmayallowan attackertoexecute arbitrary code. Thesethreevulnerabilitieshavebeen given the followingidentifiers:

• CVE-2021-44228
• CVE-2021-45046
• CVE-2021-44832

Thefourthvulnerabilitymay allowan attackertocause a denial of service.This vulnerability has been given the following identifier:

• CVE-2021-45105

Citrix continues to investigate any potential impact on Citrix-managedcloudservices.If, as the investigation continues, any Citrix-managed services are found to be affected by this issue, Citrix will take immediate action to remediate the problem. Customers using Citrix-managed cloud services do not need to take any action.

In parallel, Citrix continues to investigate the potential impact on customer-managed (on-premises) products. Please find below the present status of these products for CVE-2021-44228,CVE-2021-45046,CVE-2021-45105and CVE-2021-44832.

Product	Status
CitrixADC(NetScaler ADC)and Citrix Gateway (NetScaler Gateway)	Notimpacted(all platforms)
Citrix Application Delivery Management(NetScaler MAS)	Not impacted(all platforms)
CitrixCloud Connector	Not impacted
Citrix Connector Appliance for Cloud Services	Not impacted
Citrix Content Collaboration (ShareFile Integration)– Citrix Files for Windows,Citrix Files for Mac,Citrix Files forOutlook	Not impacted
Citrix Endpoint Management(Citrix XenMobile Server)	Impacted – Customers are advised to apply the latest CEM rolling patch updates listed below as soon as possible toreduce the risk of exploitation.

CVE-2021-44228 and CVE-2021-45046:

• XenMobile Server 10.14 RP2:<https://support.citrix.com/article/CTX335763&gt;

• XenMobile Server 10.13 RP5:<https://support.citrix.com/article/CTX335753&gt;

• XenMobile Server 10.12 RP10:<https://support.citrix.com/article/CTX335785&gt;

CVE-2021-45105:

• XenMobile Server 10.14RP3:<https://support.citrix.com/article/CTX335897&gt;

• XenMobile Server 10.13RP6:<https://support.citrix.com/article/CTX335875&gt;

• XenMobile Server 10.12 RP11:<https://support.citrix.com/article/CTX335861&gt;

Note:Customers who have upgraded theirXenMobile Serverto the updatedversionsare recommended nottoapply the responder policymentioned in the bloglisted belowto the Citrix ADCvserverin frontof the XenMobile Serveras it may impactthe enrollment of Androiddevices.

CVE-2021-44832:Not impacted
Citrix Hypervisor(XenServer)| Not impacted
Citrix License Server| Not impacted
CitrixSD-WAN| Not impacted (all platforms)
CitrixShareFileStorageZones Controller| Not impacted
Citrix Virtual Apps and Desktops(XenApp &XenDesktop)| Impacted - Linux VDA (non-LTSR versions only)

CVE-2021-44228 and CVE-2021-45046:

Customersareadvisedtoapply the latest updateas soon as possible to reduce the risk ofexploitation

• Linux Virtual Delivery Agent 2112:<https://www.citrix.com/downloads/citrix-virtual-apps-and-desktops/components/linux-vda-2112.html&gt;

Mitigations:

Customers who are notable to upgrade immediately can execute the following commandswith root privilegeson the Linux machine running VDAto protect againstCVE-2021-44228 and CVE-2021-45046:

cd /opt/Citrix/VDA/lib64

zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

CVE-2021-45105:

Investigation has shown that Linux VDA is not impacted. Nonetheless,theLinux VDA2112has been updated(21.12.0.30, released December 20th)to containApache log4j version2.17.0.

Not Impacted – Linux VDALTSRall versions

Not Impacted - All other CVAD components

CVE-2021-44832:Not impacted
Citrix Workspace App| Not impacted(all platforms)