===================================================================                             CERT-Renater

                   Note d'Information No. 2021/VULN660
_____________________________________________________________________

DATE                : 17/12/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Citrix customer-managed
                                (on-premise) products.

====================================================================https://support.citrix.com/article/CTX335705
_____________________________________________________________________

CTX335705
Citrix Security Advisory for Apache CVE-2021-44228 and CVE-2021-45046
Security Bulletin | Critical | 203 found this helpful | Created: 11 Dec 
2021 | Modified: 17 Dec 2021


Applicable Products

     Citrix ADC Citrix Endpoint Management Citrix Gateway Citrix SD-WAN
Citrix Workspace App Citrix Virtual Apps and Desktops Citrix Application
Delivery Management ShareFile


Description of Problem

Citrix is aware of a vulnerability affecting Apache Log4j2 which, if
exploited, allows an attacker who is able to control log messages or log
message parameters to execute arbitrary code loaded from LDAP servers
when message lookup substitution is enabled. This vulnerability has been
given the following identifier:

     CVE-2021-44228
     CVE-2021-45046

Citrix continues to investigate any potential impact on Citrix-managed
services, including Citrix Cloud. If, as the investigation continues,
any Citrix-managed services are found to be affected by this issue,
Citrix will take immediate action to remediate the problem. Customers
using Citrix-managed cloud services do not need to take any action.

In parallel, Citrix continues to investigate the potential impact on
customer-managed (on-premise) products. Please find below the present
status of these products:


Product
	

Status

Citrix ADC (NetScaler ADC) and Citrix Gateway (NetScaler Gateway)
	Not impacted (all platforms)


Citrix Application Delivery Management (NetScaler MAS)
	Not impacted (all platforms)

Citrix Cloud Connector 	Not impacted

Citrix Connector Appliance for Cloud Services 	Not impacted

Citrix Endpoint Management (Citrix XenMobile Server)
	Impacted – Customers are advised to apply the latest CEM rolling
         patch updates listed below as soon as possible to reduce the
         risk of exploitation

     XenMobile Server 10.14 RP2: 
https://support.citrix.com/article/CTX335763

     XenMobile Server 10.13 RP5: 
https://support.citrix.com/article/CTX335753

     XenMobile Server 10.12 RP10: 
https://support.citrix.com/article/CTX335785

Customers who have upgraded their XenMobile Server to the updated 
versions are recommended to not apply the responder policy listed below 
to the Citrix ADC vserver in front of the XenMobile Server.


Citrix Hypervisor (XenServer)
	Not impacted

Citrix License Server 	Not impacted

Citrix SD-WAN
	Not impacted (all platforms)

Citrix ShareFile Storage Zones Controller 	Not impacted

Citrix Virtual Apps and Desktops (XenApp & XenDesktop)
	Impacted – Linux VDA (non-LTSR versions only)

         Customers are advised to apply the latest update as soon as
         possible to reduce the risk of exploitation

         Linux Virtual Delivery Agent 2112:
 
https://www.citrix.com/downloads/citrix-virtual-apps-and-desktops/components/linux-vda-2112.html 


         Mitigations:

         Customers who are not able to upgrade immediately can execute
         the following commands with root privileges on the Linux machine
         running VDA:

         cd /opt/Citrix/VDA/lib64

         zip -q -d log4j-core-*.jar 
org/apache/logging/log4j/core/lookup/JndiLookup.class

          Not Impacted – Linux VDA LTSR all versions

          Not Impacted – All other CVAD components


Citrix Workspace App
	Not impacted (all platforms)



What Customers Should Do

To mitigate the risk of exploitation of CVE-2021-44228 on any
applications hosted in the back-end servers that are behind Citrix ADC,
Citrix has released configurations that can be made use of by customers.

Citrix ADC Standard, Advanced or Premium edition customers may use
responder policies for protection as shown below. Please bind the
responder policy to the appropriate bind point (vserver or global).


add policy patset patset_cve_2021_44228

bind policy patset patset_cve_2021_44228 ldap

bind policy patset patset_cve_2021_44228 http

bind policy patset patset_cve_2021_44228 https

bind policy patset patset_cve_2021_44228 ldaps

bind policy patset patset_cve_2021_44228 rmi

bind policy patset patset_cve_2021_44228 dns

add responder policy mitigate_exploit_cve_2021_44228 
q^HTTP.REQ.FULL_HEADER.SET_TEXT_MODE(URLENCODED).DECODE_USING_TEXT_MODE.AFTER_STR("${").BEFORE_STR("}").CONTAINS("${") 
|| 
HTTP.REQ.FULL_HEADER.SET_TEXT_MODE(URLENCODED).DECODE_USING_TEXT_MODE.SET_TEXT_MODE(IGNORECASE).STRIP_CHARS("${: 
}/+").AFTER_STR("jndi").CONTAINS_ANY("patset_cve_2021_44228") || 
HTTP.REQ.BODY(8192).SET_TEXT_MODE(URLENCODED).DECODE_USING_TEXT_MODE.AFTER_STR("${").BEFORE_STR("}").CONTAINS("${") 
|| HTTP.REQ.BODY(8192).SET_TEXT_MODE(URLENCODED).DECODE_USING_TEXT_MODE. 
SET_TEXT_MODE(IGNORECASE).STRIP_CHARS("${: 
}/+").AFTER_STR("jndi").CONTAINS_ANY("patset_cve_2021_44228")^ DROP


Please see our prior blog for additional information. Citrix will
continue to monitor this dynamic situation and update the blog as new
measures become available.

Note: Applying the responder policy may result in limited functionality
impact on back-end server applications.

Citrix strongly recommends that customers apply Apache patches as soon
as possible. Until you are fully patched, you may reduce the risk of a
successful attack by applying the configurations above. These
configurations should not be considered full solutions as they do not
fully address the underlying issue(s).

Citrix will continue to monitor for and respond to new information
related to this vulnerability. Customers are recommended to monitor this
article for the latest updates. Customers may also subscribe to receive
notifications at  https://support.citrix.com/user/alerts.


What Citrix is Doing
Citrix is notifying customers and channel partners about this potential
security issue. This article is also available from the Citrix Knowledge
Center at https://support.citrix.com/.


Obtaining Support on This Issue
If you require technical assistance with this issue, please contact
Citrix Technical Support. Contact details for Citrix Technical Support
are available at https://www.citrix.com/support/open-a-support-case/.


Reporting Security Vulnerabilities to Citrix
Citrix welcomes input regarding the security of its products and
considers any and all potential vulnerabilities seriously. For details
on our vulnerability response process and guidance on how to report
security-related issues to Citrix, please see the following webpage:
https://www.citrix.com/about/trust-center/vulnerability-process.html.


Disclaimer
This document is provided on an "as is" basis and does not imply any
kind of guarantee or warranty, including the warranties of
merchantability or fitness for a particular use. Your use of the
information on the document is at your own risk. Citrix reserves the
right to change or update this document at any time.


Changelog

2021-12-11      Initial Publication
2021-12-11 	Update to Citrix ADC (NetScaler ADC) and Citrix Gateway
                  (NetScaler Gateway)
2021-12-12 	Updates to Citrix ADC (NetScaler ADC) and Citrix Gateway
                  (NetScaler Gateway), Citrix Application Delivery
                  Management (NetScaler MAS), Citrix License Server,
                  Citrix ShareFile Storage Zones Controller, Citrix
                  Virtual Apps and Desktops (XenApp & XenDesktop), and
                  Citrix Workspace App
2021-12-13 	Updates to Citrix ADC (NetScaler ADC) and Citrix Gateway
                  (NetScaler Gateway), Citrix Cloud Connector, Citrix
                  Connector Appliance for Cloud Services, Citrix License
                  Server, Citrix SD-WAN, Citrix Virtual Apps and Desktops
                  (XenApp & XenDesktop)
2021-12-14  	Added information about configurations that are designed
                  to mitigate the risk of exploit of CVE-2021-44228.
2021-12-16 	Updates to Citrix Endpoint Management On-premises
                  (Citrix XenMobile Server)
2021-12-16 	Updates to Citrix Virtual Apps and Desktops (XenApp &
                  XenDesktop) and Citrix Endpoint Management On-premises
                  (Citrix XenMobile Server)
2021-12-16 	Updates to Citrix Virtual Apps and Desktops (XenApp &
                  XenDesktop)


========================================================+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=======================================================