Description of Problem
Vulnerabilities have been discovered in Citrix ADC (formerly known as NetScaler ADC), Citrix Gateway (formerly known as NetScaler Gateway), and Citrix SD-WAN WANOP Edition models 4000-WO, 4100-WO, 5000-WO, and 5100-WO. These vulnerabilities, if exploited, could result in the following security issues:
CVE-ID | Description | CWE | Affected Products | Pre-conditions | Criticality |
CVE-2021-22955 | Unauthenticated denial of service | CWE-400: Uncontrolled Resource Consumption | Citrix ADC, Citrix Gateway | Appliance must be configured as a VPN (Gateway) or AAA virtual server | Critical |
CVE-2021-22956 | Temporary disruption of the Management GUI, Nitro API and RPC communication | CWE-400: Uncontrolled Resource Consumption | Citrix ADC, Citrix Gateway, Citrix SD-WAN WANOP Edition | Access to NSIP or SNIP with management interface access | Low |
CVE-2021-22955: The following supported versions of Citrix ADC and Citrix Gateway are affected by this vulnerability:
Citrix ADC and Citrix Gateway 13.0 before 13.0-83.27
Citrix ADC and Citrix Gateway 12.1 before 12.1-63.22
Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.23
Citrix ADC 12.1-FIPS before 12.1-55.257
CVE-2021-22956: All supported versions of Citrix ADC, Citrix Gateway, and Citrix SD-WAN WANOP Edition are affected by this vulnerability until the appliance has been configured according to the Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP Edition - Management Module Configuration Reference Guide.
The following supported versions of Citrix ADC, Citrix Gateway, and Citrix SD-WAN WANOP Edition support this configuration change:
Citrix ADC and Citrix Gateway 13.1-4.43 and later releases
Citrix ADC and Citrix Gateway 13.0-83.27 and later releases of 13.0
Citrix ADC and Citrix Gateway 12.1-63.22 and later releases of 12.1
Citrix ADC and NetScaler Gateway 11.1-65.23 and later releases of 11.1
Citrix ADC 12.1-FIPS 12.1-55.257 and later releases of 12.1-FIPS
Citrix SD-WAN WANOP Edition 11.4.2 and later releases of 11.4
Citrix SD-WAN WANOP Edition 10.2.9c and later releases of 10.2
Please note that the WANOP feature of SD-WAN Premium Edition is not impacted.
This bulletin only applies to customer-managed Citrix ADC, Citrix Gateway and Citrix SD-WAN WANOP Edition appliances. Customers using Citrix-managed cloud services do not need to take any action.