=====================================================================

                              CERT-Renater

                  Note d'Information No. 2021/VULN598
_____________________________________________________________________

DATE                : 10/11/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Citrix ADC and Citrix Gateway
                     versions prior to 13.1-4.43, 13.0-83.27, 12.1-63.22,
          Citrix ADC and NetScaler Gateway versions prior to 11.1-65.23,
                 Citrix ADC 12.1-FIPS versions prior to 12.1-55.257.

=====================================================================
https://support.citrix.com/article/CTX330728
_____________________________________________________________________

CTX330728
Citrix Application Delivery Controller, Citrix Gateway, and
Citrix SD-WAN WANOP Edition appliance Security Update

Created: 09 Nov 2021 | Modified: 09 Nov 2021


Applicable Products

Citrix ADC     Citrix Gateway      Citrix SD-WAN WANOP


Description of Problem

Vulnerabilities have been discovered in Citrix ADC (formerly known as
NetScaler ADC), Citrix Gateway (formerly known as NetScaler Gateway),
and Citrix SD-WAN WANOP Edition models 4000-WO, 4100-WO, 5000-WO, and
5100-WO. These vulnerabilities, if exploited, could result in the
following security issues:

CVE-ID        Description     CWE     Affected Products   Pre-conditions
Criticality

CVE-2021-22955   Unauthenticated denial of service   CWE-400: 
Uncontrolled Resource Consumption      Citrix ADC, Citrix Gateway
Appliance must be configured as a VPN (Gateway) or AAA virtual server
    Critical

CVE-2021-22956   Temporary disruption of the Management GUI, Nitro API 
and RPC communication    CWE-400: Uncontrolled Resource Consumption
Citrix ADC, Citrix Gateway, Citrix SD-WAN WANOP Edition
Access to NSIP or SNIP with management interface access      Low

The following supported versions of Citrix ADC and Citrix Gateway
are affected by CVE-2021-22955 and CVE-2021-22956:


Citrix ADC and Citrix Gateway 13.0 before 13.0-83.27

Citrix ADC and Citrix Gateway 12.1 before 12.1-63.22

Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.23

Citrix ADC 12.1-FIPS before 12.1-55.257


The following supported versions of Citrix SD-WAN WANOP Edition 
are affected by CVE-2021-22956:

Citrix SD-WAN WANOP Edition 11.4 before 11.4.2

Citrix SD-WAN WANOP Edition 10.2 before 10.2.9c

Please note that the WANOP feature of SD-WAN Premium Edition is not 
impacted.


This bulletin only applies to customer-managed Citrix ADC, Citrix
Gateway and Citrix SD-WAN WANOP Edition appliances. Customers using
Citrix-managed cloud services do not need to take any action.



What Customers Should Do

The following supported versions of Citrix ADC and Citrix Gateway
address both CVE-2021-22955 and CVE-2021-22956:


Citrix ADC and Citrix Gateway 13.1-4.43 and later releases of 13.1

Citrix ADC and Citrix Gateway 13.0-83.27 and later releases of 13.0

Citrix ADC and Citrix Gateway 12.1-63.22 and later releases of 12.1

Citrix ADC and NetScaler Gateway 11.1-65.23 and later releases of 11.1

Citrix ADC 12.1-FIPS 12.1-55.257 and later releases of 12.1-FIPS


The following supported versions of Citrix SD-WAN WANOP Edition address
CVE-2021-22956:

Citrix SD-WAN WANOP Edition 11.4.2 and later releases of 11.4

Citrix SD-WAN WANOP Edition 10.2.9c and later releases of 10.2


Citrix recommends that affected customers install the relevant update as
soon as possible.


In addition, upon upgrading to a fixed version, customers must modify
the device configuration to resolve CVE-2021-22956. See Citrix
Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP
Edition - Management Module Configuration Reference Guide for details.


What Citrix is Doing

Citrix is notifying customers and channel partners about this potential
security issue. This article is also available from the Citrix Knowledge
Center at https://support.citrix.com/.


Obtaining Support on This Issue

If you require technical assistance with this issue, please contact
Citrix Technical Support. Contact details for Citrix Technical Support
are available at https://www.citrix.com/support/open-a-support-case/.


Reporting Security Vulnerabilities to Citrix

Citrix welcomes input regarding the security of its products and
considers any and all potential vulnerabilities seriously. For details
on our vulnerability response process and guidance on how to report
security-related issues to Citrix, please see the following webpage:
https://www.citrix.com/about/trust-center/vulnerability-process.html.



Disclaimer
This document is provided on an "as is" basis and does not imply any
kind of guarantee or warranty, including the warranties of
merchantability or fitness for a particular use. Your use of the
information on the document is at your own risk. Citrix reserves the
right to change or update this document at any time.



Changelog

Date            Change
2021-11-09      Initial Publication
2021-11-09      Minor formatting changes

=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================