Citrix ADC and Citrix Gateway Security Bulletin for CVE-2022-27509

Citrix ADC and Citrix Gateway Security Bulletin for CVE-2022-27509

book

Article ID: CTX457836

calendar_today

Updated On:

Description

A vulnerability has been discovered in Citrix ADC and Citrix Gateway which enables an attacker to create a specially crafted URL that redirects to a malicious website. 

This vulnerability has the following identifier: 

CVE-ID  

Description  

CWE  

Pre-conditions 

CVE-2022-27509 

Unauthenticated redirection to a malicious website  

CWE-345: Insufficient Verification of Data Authenticity   

 

Appliance must be configured as a VPN (Gateway) or AAA virtual server 

 

A victim user must use an attacker-crafted link 

The following supported versions of Citrix ADC and Citrix Gateway are affected by this vulnerability: 

  • Citrix ADC and Citrix Gateway 13.1 before 13.1-24.38 

  • Citrix ADC and Citrix Gateway 13.0 before 13.0-86.17 

  • Citrix ADC and Citrix Gateway 12.1 before 12.1-65.15 

  • Citrix ADC 12.1-FIPS before 12.1-55.282 

  • Citrix ADC 12.1-NDcPP before 12.1-55.282 

This bulletin only applies to customer-managed Citrix ADC and Citrix Gateway appliances. Customers using Citrix-managed cloud services do not need to take any action. 


Instructions

Citrix recommends that affected customers install the relevant updated versions of Citrix ADC or Citrix Gateway as soon as possible: 

  • Citrix ADC and Citrix Gateway 13.1-24.38 and later releases 

  • Citrix ADC and Citrix Gateway 13.0-86.17 and later releases of 13.0  

  • Citrix ADC and Citrix Gateway 12.1-65.15 and later releases of 12.1  

  • Citrix ADC 12.1-FIPS 12.1-55.282 and later releases of 12.1-FIPS  

  • Citrix ADC 12.1-NDcPP 12.1-55.282 and later releases of 12.1-NDcPP 

Note: Customers who have previously copied the httpd.conf file to the /nsconfig directory must follow the steps at URL to ensure this security update is correctly installed. 


Acknowledgements

Citrix would like to thank James Kettle of PortSwigger for working with us to protect Citrix customers.

Additional Information

DateChange
2022-07-26Initial Publication