Citrix has released security updates to address two vulnerabilities in ADC, Gateway, and SD-WAN, including a critical flaw, tracked as CVE-2021-22955, that can be exploited to trigger a denial-of-service condition.

The CVE-2021-22955 DoS vulnerability affects Citrix Application Delivery Controller (ADC) and Gateway devices that have been configured as a VPN Gateway or AAA virtual server. The second vulnerability, tracked as CVE-2021-22956, affects ADC and Gateway. The issue also affects SD-WAN WANOP edition models 4000-WO, 4100-WO, 5000-WO, and 5100-WO.

CVE-ID  Description  CWE  Affected Products  Pre-conditions Criticality 
CVE-2021-22955 Unauthenticated denial of service  CWE-400: Uncontrolled Resource Consumption Citrix ADC, Citrix Gateway Appliance must be configured as a VPN (Gateway) or AAA virtual server Critical 
CVE-2021-22956 Temporary disruption of the Management GUI, Nitro API and RPC communication CWE-400: Uncontrolled Resource Consumption Citrix ADC, Citrix Gateway, Citrix SD-WAN WANOP Edition Access to NSIP or SNIP with management interface access Low 

The exploitation of the flaw can lead to the temporary disruption of the Management GUI, Nitro API and RPC communication. This vulnerability has been rated with low severity.

Citrix recommends customers to install the update as soon as possible. Below is the list of supported versions of ADC and Citrix Gateway address both CVE-2021-22955 and CVE-2021-22956:

  • Citrix ADC and Citrix Gateway 13.1-4.43 and later releases of 13.1 
  • Citrix ADC and Citrix Gateway 13.0-83.27 and later releases of 13.0 
  • Citrix ADC and Citrix Gateway 12.1-63.22 and later releases of 12.1 
  • Citrix ADC and NetScaler Gateway 11.1-65.23 and later releases of 11.1 
  • Citrix ADC 12.1-FIPS 12.1-55.257 and later releases of 12.1-FIPS 
     

The following supported versions of Citrix SD-WAN WANOP Edition address CVE-2021-22956: 

  • Citrix SD-WAN WANOP Edition 11.4.2 and later releases of 11.4 
  • Citrix SD-WAN WANOP Edition 10.2.9c and later releases of 10.2