Citrix is aware of recent vulnerability reports that impact GNU Bash and is actively investigating the potential impact of these issues on Citrix products. There are a number of CVEs related to this issue, the current set includes:

• CVE-2014-6271 
• CVE-2014-6277 
• CVE-2014-6278 
• CVE-2014-7169 
• CVE-2014-7186 
• CVE-2014-7187
  

The following sections provide some initial guidance to customers on the potential impact of this issue. Please note that this issue is under active analysis and, as such, customers should check back frequently to get the current status of our response.

Most XenApp and XenDesktop components are Windows-based and, as such, are not affected by this vulnerability. Citrix recommends that customers review the following list for more information on specific components:

• Citrix XenDesktop Volume Worker Virtual Machines: Citrix recommends that customers ensure that the virtual machine being used to host the Volume Worker has been patched for this issue.
• Citrix Receivers for Linux, Mac and Android: In line with best practice, Citrix recommends that customers apply any necessary updates to client operating systems. 
• Citrix Web Interface when deployed on Unix-based web servers: We recommend that customers verify that the underlying webserver is not vulnerable to this issue.  
• Current versions of Citrix Web Interface when deployed on Windows platforms are not affected by this issue.
• Current versions of Citrix Secure Gateway running on Windows platforms are not affected by this issue.
• Citrix Licensing: Please refer to the Citrix Licensing section of this document.
• Citrix Merchandising Server: We are still in the process of investigating the potential impact of this issue on the Merchandising Server. This document will be updated when more information is available.

We are not currently aware of any direct risk from this issue to any remote NetScaler interfaces. As a defence in depth measure Citrix has included patches for these issues in NetScaler versions 10.5-52.11, 10.1-129.11 and 9.3-67.5.

Citrix has released updates that address this issue on the NetScaler SDX. Customers are advised to upgrade to the following versions:

• 10.5.52.11r1 or later
• 10.1.129.11r1 or later
• 9.3.67.5r1 or later

Citrix has released security bulletin CTX200223 to cover the impact of Shellshock on XenServer. It is available at the following location:

https://support.citrix.com/article/CTX200223.

The following XenClient Enterprise engines are impacted by this issue when configured to use DHCP:

• All versions of XenClient Enterprise Engine version 4.x: A new version of XenClient Enterprise, 4.5.8, has been released to address this issue. This can be found at the following address:
  https://www.citrix.com/downloads/xenclient/product-software/xenclient-enterprise-45.html
• All versions of XenClient Enterprise Engine version 5.x up to and including version 5.1.4: A new version of XenClient Enterprise, 5.1.5, has been released to address this issue. This can be found at the following address:
  https://www.citrix.com/downloads/xenclient/product-software/xenclient-enterprise-51.html.

We are not aware of any direct risk from this issue. In line with existing best practice, customers are advised ensure that any applicable security patches are applied to the underlying operating system.

We are not aware of any direct risk from this issue. In line with existing best practice, customers are advised to ensure that any applicable security patches are applied to the underlying operating system that is being used to host the synchronizer.

Analysis of the impact to XenMobile components is continuing. The following list contains our current guidance for XenMobile components:

• XenMobile Device Manager, XenMobile NetScaler Connector and XenMobile Mail Manager: On-premise versions of these products are not believed to be affected by this vulnerability.
• AppController: The on-premise version of AppController is not vulenrable to this issue. However, fixes have been released for this as a defence in depth measure. This patch is available on the Citrix website at the following address:
  https://support.citrix.com/article/CTX142031
  
• Citrix recommends that customers using affected versions of App Controller apply this patch to their appliances as soon as their patching schedule allows. 
• XenMobile Client for iOS and Android: These clients are not believed to be directly affected by this vulnerability. In line with best practice, Citrix recommends that customers apply any necessary updates to client operating systems.
• XenMobile Client for Windows Phone: This client is not believed to be affected.
• XenMobile Cloud: We do not currently believe that the cloud hosted versions of XenMobile Device Manager and AppController are vulnerable this issue. However, we are continuing to investigate and this guidance will be updated as our analysis continues.

Analysis of the impact to ByteMobile is continuing, the following list contains our current guidance for ByteMobile components:

• ByteMobile Adaptive Traffic Management: Current versions of the ATM component are vulnerable to this issue. Citrix will be releasing updated versions in the near future, details of the fixes will be added to this document as soon as they are available.
• ByteMobile Video Cache: Video Cache is vulnerable to this issue, details for remediation will be added to this document as soon as they are available.
• ByteMobile Traffic Director: We are not currently aware of any direct risk from this issue to the main data path for Traffic Director. Some risk may exist for management interfaces so, in line with existing best practice, we recommend that access to any Traffic Director management interfaces are constrained to trusted users and networks only.
• ByteMobile BEM, BRD, BDL, PPG: We recommend that all customers update their Linux OS to remediate the known issues.

Analysis of the impact to SaaS solutions is continuing. The following list contains our current guidance for SaaS solutions:

• GoToMeeting:  GoToMeeting is not currently believed to be vulnerable to this issue.  
• GoToTraining:  GoToTraining is not currently believed to be vulnerable to this issue.  
• GoToWebinar:  GoToWebinar is not currently believed to be vulnerable to this issue.  
• ShareFile:  ShareFile is not currently believed to be vulnerable to this issue.  
• GoToMyPC:  GoToMyPC is not currently believed to be vulnerable to this issue.  
• GoToAssist:  GoToAssist is not currently believed to be vulnerable to this issue.  
• OpenVoice:  OpenVoice is not currently believed to be vulnerable to this issue.  
• Citrix Labs Products (GoToMeet.me, GoToMeeting Free, Convoi, Talkboard, ShareConnect):  Citrix Labs Products are not currently believed to be vulnerable to this issue.

We are not currently aware of any direct risk from this issue to the CloudPlatform system virtual machines. As a defence in depth measure, Citrix has included patches for these issues in new versions of the system templates. These can be downloaded from the Citrix website at the following address:

https://www.citrix.com/downloads/cloudplatform/product-software.html

Additionally, customers are advised to update their management servers and guest virtual machines as well as any virtual machine snapshots, templates, or ISO files to a non-vulnerable version of bash. Citrix recommend that customers follow existing Citrix best practices for securing their CloudPlatform systems including ensuring access to any CloudPlatform management interfaces are constrained only to trusted users and networks.

We are not aware of any direct risk from this issue. In line with existing best practice, customers are advised ensure that any applicable security patches are applied to the underlying operating system.

Citrix License Server VPX: VPX machines that are configured to use DHCP are impacted by this issue. The license server inside the VPX is not impacted because it does not use bash. A new version of the License Server VPX has been released to address this issue. This new version can be downloaded from the folowing address: Version 11.12.1: https://www.citrix.com/downloads/licensing/license-server.html

Customers that are not able to upgrade immediately can reconfigure the VPX to use a static IP address or implement network filtering to limit the risk of a malicious DHCP response being sent to the VPX. Citrix also recommends that network access to this VPX is restricted.

We are not aware of any direct risk posed to the Merchandising Server from this vulnerability. This guide will be updated if further information becomes available.

The following versions of Citrix VDI-In-A-Box (VIAB) are impacted by this vulnerability:

Citrix VDI-In-A-Box 5.4.x: A new version of VIAB, 5.4.5, has been released to address this issue. This can be found at the following address: https://www.citrix.com/downloads/vdi-in-a-box/product-software/vdi-in-a-box-54.html

Citrix VDI-In-A-Box 5.3.x: A new version of VIAB, 5.3.10, has been released to address this vulnerability. This can be found at the following address: https://www.citrix.com/downloads/vdi-in-a-box/product-software/vdi-in-a-box-53.html