Citrix ADC and Citrix Gateway Security Bulletin for CVE-2022-27509
A vulnerability has been discovered in Citrix ADC and Citrix Gateway which enables an attacker to create a specially crafted URL that redirects to a malicious website. This vulnerability has the following identifier:
|Unauthorized redirection to a malicious website
|CWE-345: Insufficient Verification of Data Authenticity
|Appliance must be configured as a VPN (Gateway) or AAA virtual server. A victim must use an attacker-crafted link.
The following supported versions of Citrix ADC and Citrix Gateway are affected by this vulnerability:
- Citrix ADC and Citrix Gateway 13.1 before 13.1-24.38
- Citrix ADC and Citrix Gateway 13.0 before 13.0-86.17
- Citrix ADC and Citrix Gateway 12.1 before 12.1-65.15
- Citrix ADC 12.1-FIPS before 12.1-55.282
- Citrix ADC 12.1-NDcPP before 12.1-55.282
This bulletin only applies to customer-managed Citrix ADC and Citrix Gateway appliances. Customers using Citrix-managed cloud services do not need to take any action.
Citrix recommends that affected customers install the relevant updated versions of Citrix ADC or Citrix Gateway as soon as possible:
- Citrix ADC and Citrix Gateway 13.1-24.38 and later releases
- Citrix ADC and Citrix Gateway 13.0-86.17 and later releases of 13.0
- Citrix ADC and Citrix Gateway 12.1-65.15 and later releases of 12.1
- Citrix ADC 12.1-FIPS 12.1-55.282 and later releases of 12.1-FIPS
- Citrix ADC 12.1-NDcPP 12.1-55.282 and later releases of 12.1-NDcPP
Note: Customers who have previously copied the httpd.conf file to the /nsconfig directory must follow the steps at https://docs.citrix.com/en-us/citrix-adc/current-release/upgrade-downgrade-citrix-adc-appliance/upgrade-considerations-customized-files.html to ensure this security update is correctly installed.
For assistance from the Kraft Kennedy team, please contact us.