CTX206991
2016-03-14
1970-01-01
A vulnerability has been recently disclosed in the glibc getaddrinfo() function. This issue could potentially allow an attacker ...

Overview

A vulnerability has been recently disclosed in the glibc?? getaddrinfo()?? function. This issue could potentially allow an attacker to inject code into a process that calls the vulnerable function. The issue has been assigned the following CVE identifier:

CVE-2015-7547:?? https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7547

The vulnerable function is provided by some Linux based operating systems. Customers managing Linux platforms on which Citrix components are deployed are advised to apply any appropriate operating system updates as soon as possible.

The following sections provide guidance on the impact and mitigation steps for Linux-based Citrix products. Citrix products that do not include or execute on a Linux based platform are not impacted by this vulnerability.

Windows based components of XenDesktop and XenApp do not include, or use, the vulnerable function and are therefore not impacted by this issue.


What Citrix is Doing

Citrix is in the process of analyzing the potential impact of this issue on currently supported products that use or include the vulnerable component. The following section of this advisory provides more information on each product.


Product Details

Citrix NetScaler

NetScaler VPX, NetScaler MPX, NetScaler SDX, NetScaler Insight Center and Command Center Appliance are not affected by this vulnerability.

The NetScaler Gateway Client for Linux may be impacted by this operating system vulnerability. Citrix recommends that customers apply any applicable patches to the underlying Linux operating system.


Citrix XenServer

Currently supported versions of Citrix XenServer do not contain a vulnerable version of glibc and, as such, are not affected by this vulnerability.


Citrix XenMobile

Citrix XenMobile MDM 9.x for Windows is not affected by this vulnerability. Analysis into the potential impact of this issue on both XenMobile AppController 9.x and XenMobile Server 10.x is currently in progress.

Worx Apps and MDX are not affected by this vulnerability.


Citrix Receiver for Linux

The Receiver for Linux may be impacted by this operating system vulnerability. Citrix recommends that customers apply any applicable patches to the underlying Linux operating system.


Citrix Linux Virtual Desktop

Citrix Linux Virtual Desktop deployments may be impacted by this operating system vulnerability.?? Citrix recommends that customers apply any applicable patches to the underlying Linux operating system.


Citrix Licensing

The License Server VPX appliance does contain a vulnerable version of glibc. Citrix has released a new version of the License Server VPX, 11.13.1.2, that addresses this issue. This new version can be downloaded from the following location on the Citrix Website:

https://www.citrix.com/downloads/licensing.html

Customers using older versions of the License Server VPX that are not able to upgrade can, as an interim measure, log in to the License Server console and update the VPX using the following command from the command line:

yum update

Following the completion of the update, the server should be rebooted to ensure that the updated packages are used.


Citrix XenDesktop Volume Worker Template

Customers deploying Virtual Desktop Agents that are hosted on Citrix CloudPlatform are advised to verify that the volume worker template is using a version of glibc that is not vulnerable to this issue. Setup instructions for the volume worker template on CloudPlatform can be found in the following document: https://support.citrix.comhttp://support.ctx.org.cn/CTX140428.citrix.

Amazon Web Services based deployments use the Linux AMI template. Guidance from Amazon about this issue can be found at the following location: https://aws.amazon.com/security/security-bulletins/cve-2015-7547-advisory/


Citrix VDI in a Box

Analysis of the impact of this issue on Citrix VDI in a Box is in progress. This section will be updated as soon as additional information is available.


Citrix CloudBridge

Citrix CloudBridge 7.x does not contain a vulnerable version of glibc and, as such, is not affected by this vulnerability. Analysis of the impact of this issue on Citrix CloudBridge 8.x is in progress. This section will be updated as soon as additional information is available.


Citrix ByteMobile

Analysis of the impact of this issue on Citrix ByteMobile is in progress. This section will be updated as soon as additional information is available.


The above list will be updated as the analysis into this issue progresses.


Obtaining Support on This Issue

If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at?? http://www.citrix.com/site/ss/supportContacts.asp.??


Reporting Security Vulnerabilities

Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For guidance on how to report security-related issues to Citrix, please see the following document: CTX081743 –?? Reporting Security Issues to Citrix


Changelog

Date Change
February 19th 2016 Initial bulletin publishing
February 19th 2016 Update to NetScaler and XenMobile sections, addition of CloudBridge and ByteMobile sections
February 22nd 2016 Update to NetScaler section for Command Center Appliance
February 23rd 2016 Update to NetScaler section for Netscaler Gateway Client on Linux
March 14th 2016 Update to Licensing section

Applicable Products

 

Join the conversation

Citrix Discussions

Open a case

Citrix Support

特别说明


本文来源为Citrix.com所有,翻译后版权归翻译者所有.如需转载请注明出处.

文档版本


.

广告招租


最新留言


.

广告招租


.