As highlighted at https://support.citrix.com/article/CTX330728, it is possible for a malicious actor to temporarily disrupt the performance of the Management GUI, Nitro API, and RPC communication on Citrix ADC, Citrix Gateway, and Citrix SD-WAN WANOP Edition appliances unless the appliance has been configured to prevent this. This issue has been given the following CVE identifier: CVE-2021-22956. 

Note that CLI access is not affected by this vulnerability.  

Citrix strongly recommends that network traffic to the appliance’s management interface is separated, either physically or logically, from normal network traffic. Doing so greatly diminishes the risk of exploitation. See https://docs.citrix.com/en-us/citrix-adc/citrix-adc-secure-deployment/secure-deployment-guide.html for more information. 

To address this issue, a setting, 'maxclientForHttpdInternalService', has been introduced in the following versions: 

• Citrix ADC and Citrix Gateway 13.1-4.43 and later releases of 13.1 

• Citrix ADC and Citrix Gateway 13.0-83.27 and later releases of 13.0 

• Citrix ADC and Citrix Gateway 12.1-63.22 and later releases of 12.1 

• Citrix ADC and NetScaler Gateway 11.1-65.23 and later releases of 11.1 

• Citrix ADC 12.1-FIPS 12.1-55.257 and later releases of 12.1-FIPS 

• Citrix SD-WAN WANOP Edition 11.4.2 and later releases of 11.4 

• Citrix SD-WAN WANOP Edition 10.2.9c and later releases of 10.2 

Remediation configuration 

1. Log on to the appliance via SSH and enter the “shell” command. 

2.  Note the value of 'MaxClients' in /etc/httpd.conf and comeback to nsCLI with “exit” command :

grep MaxClients /etc/httpd.conf
exit

3. Set maxclient parameter in the following services:

set service nshttpd-gui-127.0.0.1-80 -maxclient <value> 
set service nshttpd-vpn-127.0.0.1-81 -maxclient <value>
set service nshttps-127.0.0.1-443 -maxclient <value>
save config

Points to note 

• It is recommended to use the same value as mentioned in step 2, by default its 30 but may have been altered from defaults by the customer as per CTX255947.
• For the 12.1 FIPS version the following config mentioned in step 3 wrt to port 81 is not supported. So, it is not required and can be ignored:
  “set service nshttpd-vpn-127.0.0.1-81 -maxclient <value>”