Vulnerabilities have been discovered in Citrix Endpoint Management (XenMobile Server), which, collectively, may allow a XenMobile console user with either an admin role or a custom role that has ‘Create Support Bundles’ enabled, to gain root access to the underlying OS. 

The issues affect the following supported versions of Citrix Endpoint Management (XenMobile Server) 

CVE-2021-44519, CVE-2021-44520 - Medium severity: 

• XenMobile Server 10.14.0 before rolling patch 4 

• XenMobile Server 10.13.0 before rolling patch 7 

CVE-2022-26151 - Low severity: 

• XenMobile Server 10.14.0 before rolling patch 5 

• XenMobile Server 10.13.0 before rolling patch 8 

Instructions

The issues have been addressed in the following supported versions of Citrix Endpoint Management (XenMobile Server) 

CVE-2021-44519, CVE-2021-44520 – Medium severity: 

• XenMobile Server 10.14.0 rolling patch 4 and later releases of 10.14.0 

• XenMobile Server 10.13.0 rolling patch 7 and later releases of 10.13.0 

CVE-2022-26151 – Low severity: 

• XenMobile Server 10.14.0 rolling patch 5 and later releases of 10.14.0 

• XenMobile Server 10.13.0 rolling patch 8 and later releases of 10.13.0 

Citrix recommends that affected customers upgrade to a fixed version as soon as their patching schedule allows. 

The latest versions of Citrix XenMobile Server can be downloaded from the following location: 

https://www.citrix.com/downloads/citrix-endpoint-management/product-software/xenmobile-10-server.html  

Acknowledgements