7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.001 Low
EPSS
Percentile
36.9%
Vulnerabilities have been discovered in Citrix ADC and Citrix Gateway that, if exploited, could result in a denial of service.
These vulnerabilities have the following identifiers:
CVE-ID | Description | CWE | Pre-conditions |
---|---|---|---|
CVE-2022-27507 | Authenticated denial of service | CWE-400: Uncontrolled Resource Consumption | VPN (Gateway) virtual server with |
DTLS, and
either ‘HDX Insight for EDT traffic’ or ‘SmartControl’ is configured
CVE-2022-27508| Unauthenticated denial of service| CWE-400: Uncontrolled Resource Consumption| Appliance must be configuredasa VPN(Gateway)or AAAvirtualserver
CVE-2022-27507 (Medium severity)
The following supported versions of Citrix ADC and Citrix Gateway are affected by this vulnerability if DTLS is enabled and either‘HDX Insight for EDT traffic’ or ‘SmartControl’ have been configured:
Citrix ADC and Citrix Gateway13.1before13.1-21.50
Citrix ADC and Citrix Gateway13.0before13.0-85.19
Citrix ADC andCitrixGateway12.1before12.1-64.17
Citrix ADC 12.1-FIPS before 12.1-55.278
Citrix ADC 12.1-NDcPP before 12.1-55.278
Citrix ADC and Citrix Gatewayare vulnerable if both of the following conditions are met:
Customers can determine if DTLS is enabled by executing the following CLI command:
show vpn vserver
For each vServer, “Dtls : ON” or “Dtls : OFF” will indicate the DTLS state.
Customers can determine if ‘HDX Insight for EDT traffic’ or ‘SmartControl’, has been configured by inspecting the ns.conf file for a VPN vserver policy binding with anICA_REQUEST type. For example:
bind vpn vserver <name> -policy <policy_name> -priority 100 -type ICA_REQUEST
CVE-2022-27508 (High severity)
The only supported version of Citrix ADC and Citrix Gateway affected by this vulnerability is:
All other supported versions of Citrix ADC and Citrix Gateway, including FIPS and NDcPP versions are not affected by this issue.
CPE | Name | Operator | Version |
---|---|---|---|
citrix adc | ge | 13.1 | |
citrix adc | le | 21.50 | |
citrix adc | ge | 14.0.0 | |
citrix adc | ge | 15.0.0 | |
citrix adc | ge | 16.0.0 | |
citrix adc | ge | 17.0.0 | |
citrix adc | ge | 18.0.0 | |
citrix adc | ge | 19.0.0 | |
citrix adc | ge | 20.0.0 | |
citrix gateway | ge | 13.1 |