Description of Problem

Citrix is aware of four vulnerabilities affecting Apache Log4j2, three of which may allow an attacker to execute arbitrary code. These three vulnerabilities have been given the following identifiers:

CVE-2021-44228
CVE-2021-45046
CVE-2021-44832

The fourth vulnerability may allow an attacker to cause a denial of service. This vulnerability has been given the following identifier:

CVE-2021-45105

Citrix continues to investigate any potential impact on Citrix-managed cloud services. If, as the investigation continues, any Citrix-managed services are found to be affected by this issue, Citrix will take immediate action to remediate the problem. Customers using Citrix-managed cloud services do not need to take any action.

In parallel, Citrix continues to investigate the potential impact on customer-managed (on-premises) products. Please find below the present status of these products for CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 and CVE-2021-44832.

Product	Status
Citrix ADC (NetScaler ADC) and Citrix Gateway (NetScaler Gateway)	Not impacted (all platforms)
Citrix Application Delivery Management (NetScaler MAS)	Not impacted (all platforms)
Citrix Cloud Connector	Not impacted
Citrix Connector Appliance for Cloud Services	Not impacted
Citrix Content Collaboration (ShareFile Integration) – Citrix Files for Windows, Citrix Files for Mac, Citrix Files for Outlook	Not impacted
Citrix Endpoint Management (Citrix XenMobile Server)	Impacted – Customers are advised to apply the latest CEM rolling patch updates listed below as soon as possible to reduce the risk of exploitation. CVE-2021-44228 and CVE-2021-45046: XenMobile Server 10.14 RP2: https://support.citrix.com/article/CTX335763 XenMobile Server 10.13 RP5: https://support.citrix.com/article/CTX335753 XenMobile Server 10.12 RP10: https://support.citrix.com/article/CTX335785 CVE-2021-45105: XenMobile Server 10.14 RP3: https://support.citrix.com/article/CTX335897 XenMobile Server 10.13 RP6: https://support.citrix.com/article/CTX335875 XenMobile Server 10.12 RP11: https://support.citrix.com/article/CTX335861 Note: Customers who have upgraded their XenMobile Server to the updated versions are recommended not to apply the responder policy mentioned in the blog listed below to the Citrix ADC vserver in front of the XenMobile Server as it may impact the enrollment of Android devices. CVE-2021-44832: Not impacted
Citrix Hypervisor (XenServer)	Not impacted
Citrix License Server	Not impacted
Citrix SD-WAN	Not impacted (all platforms)
Citrix ShareFile StorageZones Controller	Not impacted
Citrix Virtual Apps and Desktops (XenApp & XenDesktop)	Impacted - Linux VDA (non-LTSR versions only) CVE-2021-44228 and CVE-2021-45046: Customers are advised to apply the latest update as soon as possible to reduce the risk of exploitation Linux Virtual Delivery Agent 2112: https://www.citrix.com/downloads/citrix-virtual-apps-and-desktops/components/linux-vda-2112.html Mitigations: Customers who are not able to upgrade immediately can execute the following commands with root privileges on the Linux machine running VDA to protect against CVE-2021-44228 and CVE-2021-45046: cd /opt/Citrix/VDA/lib64 zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class CVE-2021-45105: Investigation has shown that Linux VDA is not impacted. Nonetheless, the Linux VDA 2112 has been updated (21.12.0.30, released December 20th) to contain Apache log4j version 2.17.0. Not Impacted – Linux VDA LTSR all versions Not Impacted - All other CVAD components CVE-2021-44832: Not impacted
Citrix Workspace App	Not impacted (all platforms)

What Customers Should Do

Affected customers are strongly recommended to immediately apply the latest updates to reduce the risk of exploitation.

All customers are recommended to monitor this article for the latest updates. Customers may also subscribe to receive notifications at https://support.citrix.com/user/alerts

Citrix also strongly recommends that customers consider security guidance from vendors of other products that they may have deployed. As an interim measure, Citrix ADC Standard, Advanced or Premium edition customers may reduce the risk of exploitation of these vulnerabilities on servers running behind a Citrix ADC by deploying updated WAF signatures or by binding responder policies to the appropriate bind point (vserver or global). Please see our blog for additional information. Citrix will continue to monitor this dynamic situation and update the blog as new measures become available.

What Citrix is Doing

Citrix is notifying customers and channel partners about this potential security issue through the publication of this security bulletin on the Citrix Knowledge Center at https://support.citrix.com/securitybulletins.

Obtaining Support on This Issue

If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at https://www.citrix.com/support/open-a-support-case.

Subscribe to Receive Alerts

Citrix strongly recommends that all customers subscribe to receive alerts when a Citrix security bulletin is created or modified at https://support.citrix.com/user/alerts.

Reporting Security Vulnerabilities to Citrix

Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For details on our vulnerability response process and guidance on how to report security-related issues to Citrix, please see the following webpage: https://www.citrix.com/about/trust-center/vulnerability-process.html.

Disclaimer

This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document is at your own risk. Citrix reserves the right to change or update this document at any time. Customers are therefore recommended to always view the latest version of this document directly from the Citrix Knowledge Center.

Changelog

2021-12-11	Initial Publication
2021-12-11	Update to Citrix ADC (NetScaler ADC) and Citrix Gateway (NetScaler Gateway)
2021-12-12	Updates to Citrix ADC (NetScaler ADC) and Citrix Gateway (NetScaler Gateway), Citrix Application Delivery Management (NetScaler MAS), Citrix License Server, Citrix ShareFile Storage Zones Controller, Citrix Virtual Apps and Desktops (XenApp & XenDesktop), and Citrix Workspace App
2021-12-13	Updates to Citrix ADC (NetScaler ADC) and Citrix Gateway (NetScaler Gateway), Citrix Cloud Connector, Citrix Connector Appliance for Cloud Services, Citrix License Server, Citrix SD-WAN, Citrix Virtual Apps and Desktops (XenApp & XenDesktop)
2021-12-14	Added information about configurations that are designed to mitigate the risk of exploit of CVE-2021-44228.
2021-12-16	Updates to Citrix Endpoint Management On-premises (Citrix XenMobile Server)
2021-12-16	Updates to Citrix Virtual Apps and Desktops (XenApp & XenDesktop) and Citrix Endpoint Management On-premises (Citrix XenMobile Server)
2021-12-16	Updates to Citrix Virtual Apps and Desktops (XenApp & XenDesktop)
2021-12-17	Updates to Citrix Content Collaboration (ShareFile Integration)
2021-12-18	Minor update to text to make it evident that the Security Bulletin addresses two CVEs - CVE-2021-44228 and CVE-2021-45046
2021-12-18	Updates to include CVE-2021-45105 and clarify text
2021-12-19	Update to the blog link
2021-12-20	Updates to Citrix Endpoint Management On-premises (Citrix XenMobile Server) and Citrix Virtual Apps and Desktops (XenApp & XenDesktop)
2021-12-22	Update to Citrix Endpoint Management On-premises (Citrix XenMobile Server)
2021-12-28	Update to include CVE-2021-44832
2021-12-29	Updates to Citrix Endpoint Management On-premises (Citrix XenMobile Server) and Citrix Virtual Apps and Desktops (XenApp & XenDesktop)

Citrix Security Advisory for CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 and CVE-2021-44832.

Description of Problem

What Customers Should Do

What Citrix is Doing

Obtaining Support on This Issue

Subscribe to Receive Alerts

Reporting Security Vulnerabilities to Citrix

Disclaimer

Changelog

Vulmon Search

About

Products

Connect