A vulnerability has been recently disclosed in the glibc?? getaddrinfo()?? function. This issue could potentially allow an attacker to inject code into a process that calls the vulnerable function. The issue has been assigned the following CVE identifier:
The vulnerable function is provided by some Linux based operating systems. Customers managing Linux platforms on which Citrix components are deployed are advised to apply any appropriate operating system updates as soon as possible.
The following sections provide guidance on the impact and mitigation steps for Linux-based Citrix products. Citrix products that do not include or execute on a Linux based platform are not impacted by this vulnerability.
Windows based components of XenDesktop and XenApp do not include, or use, the vulnerable function and are therefore not impacted by this issue.
What Citrix is Doing
Citrix is in the process of analyzing the potential impact of this issue on currently supported products that use or include the vulnerable component. The following section of this advisory provides more information on each product.
NetScaler VPX, NetScaler MPX, NetScaler SDX, NetScaler Insight Center and Command Center Appliance are not affected by this vulnerability.
The NetScaler Gateway Client for Linux may be impacted by this operating system vulnerability. Citrix recommends that customers apply any applicable patches to the underlying Linux operating system.
Currently supported versions of Citrix XenServer do not contain a vulnerable version of glibc and, as such, are not affected by this vulnerability.
Citrix XenMobile MDM 9.x for Windows is not affected by this vulnerability. Analysis into the potential impact of this issue on both XenMobile AppController 9.x and XenMobile Server 10.x is currently in progress.
Worx Apps and MDX are not affected by this vulnerability.
Citrix Receiver for Linux
The Receiver for Linux may be impacted by this operating system vulnerability. Citrix recommends that customers apply any applicable patches to the underlying Linux operating system.
Citrix Linux Virtual Desktop
Citrix Linux Virtual Desktop deployments may be impacted by this operating system vulnerability.?? Citrix recommends that customers apply any applicable patches to the underlying Linux operating system.
The License Server VPX appliance does contain a vulnerable version of glibc. Citrix has released a new version of the License Server VPX, 188.8.131.52, that addresses this issue. This new version can be downloaded from the following location on the Citrix Website:
Customers using older versions of the License Server VPX that are not able to upgrade can, as an interim measure, log in to the License Server console and update the VPX using the following command from the command line:
Following the completion of the update, the server should be rebooted to ensure that the updated packages are used.
Citrix XenDesktop Volume Worker Template
Customers deploying Virtual Desktop Agents that are hosted on Citrix CloudPlatform are advised to verify that the volume worker template is using a version of glibc that is not vulnerable to this issue. Setup instructions for the volume worker template on CloudPlatform can be found in the following document: https://support.citrix.comhttp://support.ctx.org.cn/CTX140428.citrix.
Amazon Web Services based deployments use the Linux AMI template. Guidance from Amazon about this issue can be found at the following location: https://aws.amazon.com/security/security-bulletins/cve-2015-7547-advisory/
Citrix VDI in a Box
Analysis of the impact of this issue on Citrix VDI in a Box is in progress. This section will be updated as soon as additional information is available.
Citrix CloudBridge 7.x does not contain a vulnerable version of glibc and, as such, is not affected by this vulnerability. Analysis of the impact of this issue on Citrix CloudBridge 8.x is in progress. This section will be updated as soon as additional information is available.
Analysis of the impact of this issue on Citrix ByteMobile is in progress. This section will be updated as soon as additional information is available.
The above list will be updated as the analysis into this issue progresses.
Obtaining Support on This Issue
If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at?? http://www.citrix.com/site/ss/supportContacts.asp.??
Reporting Security Vulnerabilities
Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For guidance on how to report security-related issues to Citrix, please see the following document: CTX081743 –?? Reporting Security Issues to Citrix
|February 19th 2016||Initial bulletin publishing|
|February 19th 2016||Update to NetScaler and XenMobile sections, addition of CloudBridge and ByteMobile sections|
|February 22nd 2016||Update to NetScaler section for Command Center Appliance|
|February 23rd 2016||Update to NetScaler section for Netscaler Gateway Client on Linux|
|March 14th 2016||Update to Licensing section|