by Daniel Ruiz
Practice Lead, Citrix Technologies
Today Citrix announced new vulnerabilities discovered in Citrix ADC and Citrix Gateway (NetScaler) that could result in a denial of service.
Vulnerabilities:
CVE-2022-27507 (Medium severity)
The following supported versions of Citrix ADC and Citrix Gateway are affected by this vulnerability if DTLS is enabled and either ‘HDX Insight for EDT traffic’ and/or ‘SmartControl’ have been configured.
- Citrix ADC and Citrix Gateway 13.1 before 13.1-21.50
- Citrix ADC and Citrix Gateway 13.0 before 13.0-85.19
- Citrix ADC and Citrix Gateway 12.1 before 12.1-64.17
- Citrix ADC 12.1-FIPS before 12.1-55.278
- Citrix ADC 12.1-NDcPP before 12.1-55.278
Citrix ADC and Citrix Gateway are vulnerable if both of the following conditions are met:
- DTLS is enabled
- ‘HDX Insight for EDT traffic’ or ‘SmartControl’ is configured
CVE-2022-27508 (High severity)
The only supported version of Citrix ADC and Citrix Gateway affected by this vulnerability is Citrix ADC and Citrix Gateway 12.1-64.16
All other supported versions of Citrix ADC and Citrix Gateway, including FIPS and NDcPP versions are not affected by this issue.
Solution / Workarounds:
Citrix recommends that affected customers install the relevant updated versions of Citrix ADC or Citrix Gateway as soon as possible.
- Citrix ADC and Citrix Gateway 13.1-21.50 and later releases
- Citrix ADC and Citrix Gateway 13.0-85.19 and later releases of 13.0
- Citrix ADC and Citrix Gateway 12.1-64.17 and later releases of 12.1
- Citrix ADC 12.1-FIPS 12.1-55.278 and later releases of 12.1-FIPS
- Citrix ADC 12.1-NDcPP 12.1-55.278 and later releases of 12.1-NDcPP
Customers who are only impacted by CVE-2022-27507 and have DTLS enabled and have configured ‘HDX Insight for EDT traffic’ or ‘SmartControl’ can alternatively disable ‘HDX Insight for EDT traffic’ to address the issue without upgrading.
If you would like more information or assistance from our industry leading team of Citrix experts to plan and execute the upgrade, please contact us at service@helient.com.