Overview
A vulnerability has been recently disclosed in the glibc gethostbyname() function. This issue could potentially allow an attacker to inject code into a process that calls the vulnerable function. The issue is known as the GHOST vulnerability and has been assigned the following CVE identifier:
CVE-2015-0235: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0235
The vulnerable function is provided by some Linux based operating systems. Customers managing Linux platforms on which Citrix components are deployed are advised to apply any appropriate operating system updates as soon as possible.
A number of Citrix products incorporate Linux components. The following sections provide guidance on the impact and mitigation steps for these products. Citrix products that do not include or execute on a Linux based platform are not impacted by this vulnerability.
Citrix NetScaler MPX and VPX, and all Windows based components of XenDesktop and XenApp, do not include or use the vulnerable function and are therefore not impacted by this issue.
What Citrix Is Doing
Citrix is in the process of analyzing the potential impact of this issue on currently supported products that include the vulnerable component. The following section of this advisory provides more information on each product.
Products That May Include The Vulnerable Component:
Citrix XenServer
Citrix XenServer does include a vulnerable version of glibc but at present there is no known route by which a guest virtual machine would be able to invoke the vulnerable functionality through the hypervisor interface. As a defence in depth measure, Citrix has released a hotfix that updates the version of glibc present in XenServer. This is available at the following address: https://support.citrix.com/article/CTX200437
Citrix NetScaler SDX
The NetScaler SDX service VM (SVM) and NetScaler virtual appliances (VPX) running on SDX appliance do not contain the vulnerable component and, as such, are not directly vulnerable to this issue. NetScaler SDX uses a version of XenServer which includes the vulnerable glibc component. At present there is no known route by which the issue could be exploited on the SDX platform.
Citrix XenMobile
Citrix XenMobile MDM functionality (both on-premise and cloud installations) is not impacted by this vulnerability. Citrix XenMobile Server 10.x is not impacted by this vulnerability.
The following versions of XenMobile AppController are impacted by this vulnerability:
- Citrix XenMobile App Controller 9.0 Rolling Patch 6 and earlier
To address this vulnerability, customers should apply Citrix XenMobile App Controller 9.0 Rolling Patch 7 or later. This update is available at the following address: https://support.citrix.com/article/CTX207571
Citrix Licensing
Currently supported versions of the Citrix License Server VPX are impacted by this vulnerability.
To address this issue, Citrix recommends that customers log in to the License Server console and update the VPX using the following command from the command line:
yum update
Following the completion of the update, the server should be rebooted to ensure that the updated packages are used.
Citrix CloudPlatform
The following versions of Citrix CloudPlatform are impacted by this vulnerability:
- Citrix CloudPlatform 4.3.x: This vulnerability affects all versions of CloudPlatform up to and including version 4.3.0.2.
- Citrix CloudPlatform 4.2.x: This vulnerability affects all versions of CloudPlatform up to and including version 4.2.1-6.
- Citrix CloudPlatform 3.0.x: This vulnerability affects all versions of CloudPlatform up to and including version 3.0.7 Patch G.
Citrix CloudPlatform 4.5 does include a vulnerable version of glibc but we do not believe that a valid route to exploit exists.
To address this vulnerability, customers should update their system and router virtual machine templates to the latest version. More information on how to obtain and upgrade these templates is available in the following article: https://support.citrix.com/article/CTX200024
Citrix XenClient Enterprise
Analysis of the impact to XenClient Enterprise is in progress. This section will be updated as soon as additional information is available
Citrix ByteMobile Traffic Director (T1000 series systems)
ByteMobile Traffic Director is not affected by this vulnerability.
Citrix ByteMobile Video Cache (T2000 series systems)
ByteMobile Video Cache does make use of a vulnerable version of glibc. At present there is no known route by which the issue could be exploited. Citrix is currently in the process of releasing product updates to remove the underlying issue. This section will be updated when more information becomes available.
Citrix ByteMobile Adaptive Traffic Manager (T3000 series systems)
ByteMobile Adaptive Traffic Manager does make use of a vulnerable version of glibc. At present there is no known route by which the issue could be exploited. Citrix is currently in the process of releasing product updates to remove the underlying issue. This section will be updated when more information becomes available.
Citrix VDI-In-A-Box
The following versions of Citrix VDI-In-A-Box (VIAB) are impacted by this vulnerability:
Citrix VDI-In-A-Box 5.4.x: A new version of VIAB, 5.4.6, has been released to address this vulnerability. This can be found at the following address: https://www.citrix.com/downloads/vdi-in-a-box/product-software/vdi-in-a-box-54.html
Citrix VDI-In-A-Box 5.3.x: A new version of VIAB, 5.3.10, has been released to address this vulnerability. This can be found at the following address: https://www.citrix.com/downloads/vdi-in-a-box/product-software/vdi-in-a-box-53.html
Citrix Command Center
Citrix Command Center is impacted by this vulnerability. A new version of the product, 5.2 Build 44.8, has been released to address this vulnerability. This can be found at the following address:
Obtaining Support on This Issue
If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at https://www.citrix.com/support/open-a-support-case.html.
Reporting Security Vulnerabilities
Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For guidance on how to report security-related issues to Citrix, please see the following document: CTX081743 – Reporting Security Issues to Citrix
Changelog
Date | Change |
---|---|
January 28th 2015 | Initial bulletin publishing |
February 3rd 2015 | Update to XenMobile section |
February 18th 2015 | Update to XenServer section |
February 23rd 2015 | Addition of ByteMobile sections |
March 4th 2015 | Update to CloudPlatform section |
March 18th 2015 | Addition of VDI-In-A-Box section |
April 28th 2015 | Update to Licensing section |
May 11th 2015 | Update to NetScaler SDX section |
June 18th 2015 | Update to VDI-In-A-Box section |
October 13th 2015 | Addition of Command Center section |
May 5th 2016 | Update to XenMobile section |
May 9th 2016 | Clarify XenMobile section |