Citrix Patches Critical Vulnerability in ADC, Gateway

Citrix this week released patches for a couple of vulnerabilities affecting Citrix ADC, Gateway, and SD-WAN, including a critical bug leading to denial of service (DoS).

The most severe of the two bugs is CVE-2021-22955, a critical security hole that could lead to a DoS condition on appliances that have been configured as a VPN (Gateway) or AAA virtual server.

The security flaw was identified in Citrix Application Delivery Controller (ADC, formerly NetScaler ADC), and Gateway (formerly NetScaler Gateway).

Tracked as CVE-2021-22956, the second flaw could lead to the temporary disruption of the Management GUI, Nitro API, and RPC communication.

Considered low severity, the bug affects ADC and Gateway, as well as SD-WAN WANOP edition models 4000-WO, 4100-WO, 5000-WO, and 5100-WO, Citrix explains in an advisory.

Citrix addressed both vulnerabilities in ADC and Gateway 13.1-4.43 and later releases of 13.1, 13.0-83.27 and later releases of 13.0, 12.1-63.22 and later releases of 12.1, and 11.1-65.23 and later releases of 11.1, and in ADC 12.1-FIPS 12.1-55.257 and later releases of 12.1-FIPS.

CVE-2021-22956, Citrix says, was addressed in SD-WAN WANOP Edition 11.4.2 and later releases of 11.4, and 10.2.9c and later releases of 10.2.

“Please note that the WANOP feature of SD-WAN Premium Edition is not impacted,” Citrix notes.

Affected Citrix customers are encouraged to install the available patches as soon as possible.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has urged users and administrators to review Citrix’s advisory and apply the necessary updates.

Related: Citrix Patches Hypervisor Vulnerabilities Allowing Host Compromise

Related: Citrix Patches DoS Vulnerabilities in Hypervisor

Related: Citrix Releases Updates to Prevent DDoS Attacks Abusing Its Appliances