Description of Problem
Citrix is aware of four vulnerabilities affecting Apache Log4j2, three of which may allow an attacker to execute arbitrary code. These three vulnerabilities have been given the following identifiers:
- CVE-2021-44228
- CVE-2021-45046
- CVE-2021-44832
The fourth vulnerability may allow an attacker to cause a denial of service. This vulnerability has been given the following identifier:
CVE-2021-45105
Citrix continues to investigate any potential impact on Citrix-managed cloud services. If, as the investigation continues, any Citrix-managed services are found to be affected by this issue, Citrix will take immediate action to remediate the problem. Customers using Citrix-managed cloud services do not need to take any action.
In parallel, Citrix continues to investigate the potential impact on customer-managed (on-premises) products. Please find below the present status of these products for CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 and CVE-2021-44832.
Product | Status |
Citrix ADC (NetScaler ADC) and Citrix Gateway (NetScaler Gateway) | Not impacted (all platforms) |
Citrix Application Delivery Management (NetScaler MAS) | Not impacted (all platforms) |
Citrix Cloud Connector | Not impacted |
Citrix Connector Appliance for Cloud Services | Not impacted |
Citrix Content Collaboration (ShareFile Integration) – Citrix Files for Windows, Citrix Files for Mac, Citrix Files for Outlook | Not impacted |
Citrix Endpoint Management (Citrix XenMobile Server) | Impacted – Customers are advised to apply the latest CEM rolling patch updates listed below as soon as possible to reduce the risk of exploitation.
CVE-2021-44228 and CVE-2021-45046:
CVE-2021-45105:
Note: Customers who have upgraded their XenMobile Server to the updated versions are recommended not to apply the responder policy mentioned in the blog listed below to the Citrix ADC vserver in front of the XenMobile Server as it may impact the enrollment of Android devices. |
Citrix Hypervisor (XenServer) | Not impacted |
Citrix License Server | Not impacted |
Citrix SD-WAN | Not impacted (all platforms) |
Citrix ShareFile StorageZones Controller | Not impacted |
Citrix Virtual Apps and Desktops (XenApp & XenDesktop) | Impacted - Linux VDA (non-LTSR versions only) CVE-2021-44228 and CVE-2021-45046: Customers are advised to apply the latest update as soon as possible to reduce the risk of exploitation
Mitigations: Customers who are not able to upgrade immediately can execute the following commands with root privileges on the Linux machine running VDA to protect against CVE-2021-44228 and CVE-2021-45046: cd /opt/Citrix/VDA/lib64 zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
CVE-2021-45105: Investigation has shown that Linux VDA is not impacted. Nonetheless, the Linux VDA 2112 has been updated (21.12.0.30, released December 20th) to contain Apache log4j version 2.17.0.
Not Impacted – Linux VDA LTSR all versions Not Impacted - All other CVAD components |
Citrix Workspace App | Not impacted (all platforms) |