Citrix Patches Critical Flaws

Citrix has released security updates to address two vulnerabilities in ADC, Gateway, and SD-WAN, including a critical flaw, tracked as CVE-2021-22955, that can be exploited to trigger a denial-of-service condition.

The CVE-2021-22955 DoS vulnerability affects Citrix Application Delivery Controller (ADC) and Gateway devices that have been configured as a VPN Gateway or AAA virtual server. The second vulnerability, tracked as CVE-2021-22956, affects ADC and Gateway. The issue also affects SD-WAN WANOP edition models 4000-WO, 4100-WO, 5000-WO, and 5100-WO.

The exploitation of the flaw can lead to the temporary disruption of the Management GUI, Nitro API and RPC communication. This vulnerability has been rated with low severity.

Citrix recommends customers to install the update as soon as possible. Below is the list of supported versions of ADC and Citrix Gateway address both CVE-2021-22955 and CVE-2021-22956:

• Citrix ADC and Citrix Gateway 13.1-4.43 and later releases of 13.1 
• Citrix ADC and Citrix Gateway 13.0-83.27 and later releases of 13.0 
• Citrix ADC and Citrix Gateway 12.1-63.22 and later releases of 12.1 
• Citrix ADC and NetScaler Gateway 11.1-65.23 and later releases of 11.1 
• Citrix ADC 12.1-FIPS 12.1-55.257 and later releases of 12.1-FIPS 
   

The following supported versions of Citrix SD-WAN WANOP Edition address CVE-2021-22956: 

• Citrix SD-WAN WANOP Edition 11.4.2 and later releases of 11.4 
• Citrix SD-WAN WANOP Edition 10.2.9c and later releases of 10.2