10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.976 High
EPSS
Percentile
100.0%
Citrix is aware offourvulnerabilitiesaffectingApache Log4j2, threeof whichmayallowan attackertoexecute arbitrary code. Thesethreevulnerabilitieshavebeen given the followingidentifiers:
Thefourthvulnerabilitymay allowan attackertocause a denial of service.This vulnerability has been given the following identifier:
Citrix continues to investigate any potential impact on Citrix-managedcloudservices.If, as the investigation continues, any Citrix-managed services are found to be affected by this issue, Citrix will take immediate action to remediate the problem. Customers using Citrix-managed cloud services do not need to take any action.
In parallel, Citrix continues to investigate the potential impact on customer-managed (on-premises) products. Please find below the present status of these products for CVE-2021-44228,CVE-2021-45046,CVE-2021-45105and CVE-2021-44832.
Product | Status |
---|---|
CitrixADC(NetScaler ADC)and Citrix Gateway (NetScaler Gateway) | Notimpacted(all platforms) |
Citrix Application Delivery Management(NetScaler MAS) | Not impacted(all platforms) |
CitrixCloud Connector | Not impacted |
Citrix Connector Appliance for Cloud Services | Not impacted |
Citrix Content Collaboration (ShareFile Integration)– Citrix Files for Windows,Citrix Files for Mac,Citrix Files forOutlook | Not impacted |
Citrix Endpoint Management(Citrix XenMobile Server) | Impacted – Customers are advised to apply the latest CEM rolling patch updates listed below as soon as possible toreduce the risk of exploitation. |
CVE-2021-44228 and CVE-2021-45046:
XenMobile Server 10.14 RP2:<https://support.citrix.com/article/CTX335763>
XenMobile Server 10.13 RP5:<https://support.citrix.com/article/CTX335753>
XenMobile Server 10.12 RP10:<https://support.citrix.com/article/CTX335785>
CVE-2021-45105:
XenMobile Server 10.14RP3:<https://support.citrix.com/article/CTX335897>
XenMobile Server 10.13RP6:<https://support.citrix.com/article/CTX335875>
XenMobile Server 10.12 RP11:<https://support.citrix.com/article/CTX335861>
Note:Customers who have upgraded theirXenMobile Serverto the updatedversionsare recommended nottoapply the responder policymentioned in the bloglisted belowto the Citrix ADCvserverin frontof the XenMobile Serveras it may impactthe enrollment of Androiddevices.
CVE-2021-44832:Not impacted
Citrix Hypervisor(XenServer)| Not impacted
Citrix License Server| Not impacted
CitrixSD-WAN| Not impacted (all platforms)
CitrixShareFileStorageZones Controller| Not impacted
Citrix Virtual Apps and Desktops(XenApp &XenDesktop)| Impacted - Linux VDA (non-LTSR versions only)
CVE-2021-44228 and CVE-2021-45046:
Customersareadvisedtoapply the latest updateas soon as possible to reduce the risk ofexploitation
Mitigations:
Customers who are notable to upgrade immediately can execute the following commandswith root privilegeson the Linux machine running VDAto protect againstCVE-2021-44228 and CVE-2021-45046:
cd /opt/Citrix/VDA/lib64
zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
CVE-2021-45105:
Investigation has shown that Linux VDA is not impacted. Nonetheless,theLinux VDA2112has been updated(21.12.0.30, released December 20th)to containApache log4j version2.17.0.
Not Impacted – Linux VDALTSRall versions
Not Impacted - All other CVAD components
CVE-2021-44832:Not impacted
Citrix Workspace App| Not impacted(all platforms)
10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.976 High
EPSS
Percentile
100.0%