Citrix has released security updates to address two vulnerabilities in ADC, Gateway, and SD-WAN, including a critical flaw, tracked as CVE-2021-22955, that can be exploited to trigger a denial of service (DoS) condition.
The CVE-2021-22955 DoS vulnerability affects Citrix Application Delivery Controller (ADC) and Gateway devices that have been configured as a VPN (Gateway) or AAA virtual server.
The second vulnerability, tracked as CVE-2021-22956, affects ADC and Gateway. The issue also affects SD-WAN WANOP edition models 4000-WO, 4100-WO, 5000-WO, and 5100-WO.
The exploitation of the flaw can lead to the temporary disruption of the Management GUI, Nitro API and RPC communication. This vulnerability has been rated with low severity.
Citrix recommends customers to install the update as soon as possible. Below is the list of supported versions of ADC and Citrix Gateway address both CVE-2021-22955 and CVE-2021-22956:
The following supported versions of Citrix SD-WAN WANOP Edition address CVE-2021-22956:
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also published a security advisory related to the above vulnerabilities.
“Citrix has released security updates to address vulnerabilities affecting multiple versions of Citrix Application Delivery Controller (ADC), Gateway, and SD-WAN WANOP. An attacker could exploit these vulnerabilities to cause a denial-of-service condition.” reads the announcement published by CISA.
“CISA encourages users and administrators to review Citrix Security Bulletin CTX330728 and apply the necessary updates as soon as possible.”
(SecurityAffairs – hacking, Citrix)