CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
99.9%
A vulnerability has been recently disclosed in the glibc getaddrinfo() function. This issue could potentially allow an attacker to inject code into a process that calls the vulnerable function. The issue has been assigned the following CVE identifier:
CVE-2015-7547: _ <https://vulners.com/cve/CVE-2015-7547>_
The vulnerable function is provided by some Linux based operating systems. Customers managing Linux platforms on which Citrix components are deployed are advised to apply any appropriate operating system updates as soon as possible.
The following sections provide guidance on the impact and mitigation steps for Linux-based Citrix products. Citrix products that do not include or execute on a Linux based platform are not impacted by this vulnerability.
Windows based components of XenDesktop and XenApp do not include, or use, the vulnerable function and are therefore not impacted by this issue.
Citrix is in the process of analyzing the potential impact of this issue on currently supported products that use or include the vulnerable component. The following section of this advisory provides more information on each product.
NetScaler VPX, NetScaler MPX, NetScaler SDX, NetScaler Insight Center and Command Center Appliance are not affected by this vulnerability.
The NetScaler Gateway Client for Linux may be impacted by this operating system vulnerability. Citrix recommends that customers apply any applicable patches to the underlying Linux operating system.
Currently supported versions of Citrix XenServer do not contain a vulnerable version of glibc and, as such, are not affected by this vulnerability.
Citrix XenMobile MDM 9.x for Windows is not impacted by this vulnerability. Worx Apps and MDX are not impacted by this vulnerability.
The following XenMobile product versions are impacted by this vulnerability:
To address this vulnerability customers should apply the following updates:
XenMobile Cloud customer deployments have been patched by the Citrix XenMobile Cloud Operations team. For more details contact technical support.
The Receiver for Linux may be impacted by this operating system vulnerability. Citrix recommends that customers apply any applicable patches to the underlying Linux operating system.
Citrix Linux Virtual Desktop deployments may be impacted by this operating system vulnerability. Citrix recommends that customers apply any applicable patches to the underlying Linux operating system.
The License Server VPX appliance does contain a vulnerable version of glibc. Citrix has released a new version of the License Server VPX, 11.13.1.2, that addresses this issue. This new version can be downloaded from the following location on the Citrix Website:
<https://www.citrix.com/downloads/licensing.html>
Customers using older versions of the License Server VPX that are not able to upgrade can, as an interim measure, log in to the License Server console and update the VPX using the following command from the command line:
yum update
Following the completion of the update, the server should be rebooted to ensure that the updated packages are used.
Customers deploying Virtual Desktop Agents that are hosted on Citrix CloudPlatform are advised to verify that the volume worker template is using a version of glibc that is not vulnerable to this issue. Setup instructions for the volume worker template on CloudPlatform can be found in the following document: <http://docs.citrix.com/content/dam/docs/en-us/cloudplatform/cloudplatform-43/downloads/xa-xd-cloudplatform_2014.pdf>.
Amazon Web Services based deployments use the Linux AMI template. Guidance from Amazon about this issue can be found at the following location: <https://aws.amazon.com/security/security-bulletins/cve-2015-7547-advisory/>
Citrix VDI-In-A-Box (VIAB) version 5.4.x is impacted by this vulnerability. A new version of VIAB, 5.4.8, has been released to address this vulnerability. This can be found at the following address:
<https://www.citrix.com/downloads/vdi-in-a-box.html>
Citrix CloudBridge 7.x does not contain a vulnerable version of glibc and, as such, is not affected by this vulnerability. Analysis of the impact of this issue on Citrix CloudBridge 8.x is in progress. This section will be updated as soon as additional information is available.
Analysis of the impact of this issue on Citrix ByteMobile is in progress. This section will be updated as soon as additional information is available.
The above list will be updated as the analysis into this issue progresses.
If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at _ <https://www.citrix.com/support/open-a-support-case.html>_.
Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For guidance on how to report security-related issues to Citrix, please see the following document: CTX081743 – Reporting Security Issues to Citrix
Date | Change |
---|---|
February 19th 2016 | Initial bulletin publishing |
February 19th 2016 | Update to NetScaler and XenMobile sections, addition of CloudBridge and ByteMobile sections |
February 22nd 2016 | Update to NetScaler section for Command Center Appliance |
February 23rd 2016 | Update to NetScaler section for Netscaler Gateway Client on Linux |
March 14th 2016 | Update to Licensing section |
May 5th 2016 | Update to XenMobile section |
May 9th 2016 | Clarify XenMobile section |
May 16th 2016 | Update to XenDesktop Volume Worker Template section |
November 17th 2016 | Update to VDI in a Box section |
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
99.9%