Remediate vulnerabilities for CVE-2021-22927 and CVE-2021-22920
In the Citrix Application Delivery and Management security advisory dashboard, under Current CVEs >
<number of> ADC instances are impacted by CVEs, you can see all the instances vulnerable due to CVE-2021-22927 and CVE-2021-22920. To check the details of the instances impacted by these two CVEs, select one or more CVEs and click View Affected Instances.
It might take a couple of hours for the security advisory system scan to conclude and reflect the impact of CVE-2021-22927 and CVE-2021-22920 in the security advisory module. To see the impact sooner, start an on-demand scan by clicking Scan-Now. For more information about the security advisory dashboard see, Security Advisory.
<number of> ADC instances impacted by CVEs window appears. In the following screen capture, you can see the count and details of the ADC instances impacted by CVE-2021-22927 and CVE-2021-22920.
Remediate CVE-2021-22927 and CVE-2021-22920
For CVE-2021-22927 and CVE-2021-22920 impacted ADC instances, the remediation is a two-step process. In the GUI, under Current CVEs > ADC instances are impacted by CVEs, you can see step 1 and 2.
The two steps include:
- Upgrading the vulnerable ADC instances to a release and build that has the fix.
- Applying the required configuration commands using the customizable built-in configuration template in configuration jobs. Follow this step for each vulnerable ADC one at a time and include all SAML actions for that ADC.
Skip step 2 if you’ve already run configuration jobs on the ADC instance for CVE-2020-8300.
Under Current CVEs> ADC instances impacted by CVEs, you see two separate workflows for this 2-step remediation process: which are Proceed to upgrade workflow and Proceed to configuration job workflow.
Step 1: Upgrade the vulnerable ADC instances
To upgrade the vulnerable instances, select the instances and click Proceed to upgrade workflow. The upgrade workflow opens with the vulnerable ADC instances already populated.
For more information on how to use Citrix Application Delivery and Management to upgrade ADC instances, see Create an ADC upgrade job.
This step can be done at once for all the vulnerable ADC instances. Note
After you have completed step 1 for all the ADC instances vulnerable to CVE-2021-22920 and CVE-2021-22927, do an on-demand scan. The updated security posture under Current CVEs helps you understand if the ADC instances are still vulnerable to any of these CVEs. From the new posture, you can also check if you need to run configuration jobs. If you’ve already applied the appropriate configuration jobs to the ADC instance for CVE-2020-8300 and now you have upgraded the ADC instance, after doing the on-demand scan the instance no longer shows as vulnerable for CVE-2020-8300, CVE-2021-22920, and CVE-2021-22927.
Step 2: Apply configuration commands
After you’ve upgraded the impacted instances, in the
<number of> ADC instances impacted by CVEs window, select one instance impacted by CVE-2021-22927 and CVE-2021-22920 and click Proceed to configuration job workflow. The workflow includes the following steps.
- Customizing the configuration.
- Reviewing the auto-populated impacted instances.
- Specifying inputs for variables for the job.
- Reviewing the final config with variable inputs populated.
- Running the job.
Keep the following points in mind before you select an instance and click Proceed to configuration job workflow:
For an ADC instance impacted by multiple CVEs (such as CVE-2020-8300, CVE-2021-22927, CVE-2021-22920, and CVE-2021-22956): when you select the instance and click Proceed to configuration job workflow, the built-in configuration template does not auto-populate under Select configuration. Drag and drop the appropriate config job template under Security Advisory Template manually to the config job pane on the right side.
For multiple ADC instances that are impacted by CVE-2021-22956 only: you can run config jobs on all instances at once. For example, you’ve ADC 1, ADC 2, and ADC 3, and all of them are impacted only by CVE-2021-22956. Select all these instances and click Proceed to configuration job workflow, and the built-in configuration template auto-populates under Select configuration. Refer to the known issue NSADM-80913 in the release notes.
For multiple ADC instances impacted by CVE-2021-22956 and one or more other CVEs (such as CVE-2020-8300, CVE-2021-22927, and CVE-2021-22920), which require remediation to be applied to each ADC at a time: when you select these instances and click Proceed to configuration job workflow, an error message appears telling you to run the config job on each ADC at a time.
Step 1: Select configuration
In the configuration job workflow, the built-in configuration base template auto-populates under Select configuration.
If the ADC instance selected in step 2 for applying configuration commands, is vulnerable to CVE-2021-22927, CVE-2021-22920, and also CVE-2020-8300, the base template for CVE-2020-8300 is auto-populated. The CVE-2020-8300 template is a super set of the config commands required for all the three CVEs. Customize this base template according to your ADC instance deployment and requirement.
You must run a separate configuration job for each impacted ADC instance, one at a time, and include all SAML actions for that ADC. For example, if you have two vulnerable ADC instances each having two SAML actions, you must run this configuration job two times. One time per ADC covering all its SAML actions.
|Job 1: two SAML actions||Job 2: two SAML actions|
Give the job a name and customize the template for the following specifications. The built-in configuration template is only an outline or base template. Customize the template based on your deployment for the following requirements:
a. SAML actions and their associated domains
Depending on the number of SAML actions you have in your deployment, you must replicate lines 1–3 and customize the domains for each SAML action.
For example, if you have two SAML actions, repeat lines 1–3 two times and accordingly customize the variable definitions for each SAML action.
And if you have N domains for a SAML action, you must manually type the line
bind patset $saml_action_patset$ “$saml_action_domain1$” multiple times to ensure that the line appears N times for that SAML action. And change the following variable definition names:
saml_action_patset: is the config template variable, and it represents the value of the name of the pattern set (patset) for the SAML action. You can specify the real value in step 3 of the config job workflow. See the section Step 3: Specify variable values in this doc.
saml_action_domain1: is the config template variable, and it represents the domain name for that specific SAML action. You can specify the real value in step 3, of the config job workflow. See the section Step 3: Specify variable values in this doc.
To find all the SAML actions for a device, run the command
Step 2: Select the instance
The impacted instance is auto-populated under Select Instances. Select the instance and click Next.
Step 3: Specify variable values
Enter the variable values.
saml_action_patset: add a name for the SAML action
saml_action_domain1: enter a domain in the format
saml_action_name: enter the same of the SAML action for which you are configuring the job
Step 4: Preview the configuration
Previews the variable values having been inserted in the config and click Next.
Step 5: Run the job
Click Finish to run the configuration job.
After the job is run, it appears under Infrastructure > Configuration > Configuration Jobs.
After completing the two remediation steps for all vulnerable ADCs, you can run an on-demand scan to see the revised security posture.
In this scenario, two ADC instances are vulnerable to CVE-2021-22920, and you need to remediate all the instances. Follow these steps:
Upgrade all the three ADC instances by following the steps given in the “Upgrade an instance” section in this document.
Apply the config patch to one ADC at a time, using the configuration job workflow. See the steps given in the “Apply configuration commands” section in this document.
The vulnerable ADC 1 has two SAML actions:
- SAML action 1 has one domain
- SAML action 2 has two domains
Select ADC 1 and click Proceed to configuration job workflow. The built-in base template auto-populates. Next, give a job name and customize the template according to the given configuration.
The following table lists the variable definitions for customized parameters.
Table. Variable definitions for SAML action
|ADC configuration||Variable definition for patset||Variable definition for SAML action name||Variable definition for domain|
|SAML action 1 has one domain||saml_action_patset1||saml_action_name1||saml_action_domain1|
|SAML action 2 has two domains||saml_action_patset2||saml_action_name2||saml_action_domain2, saml_action_domain3|
Under Select Instances, select ADC 1 and click Next. The Specify Variable Values window appears. In this step, you need to provide values for all the variables defined in the previous step.
Next, review the variables.
Click Next and then click Finish to run the job.
After the job is run, it appears under Infrastructure > Configuration > Configuration Jobs.
After completing the two remediation steps for ADC1, follow the same steps to remediate ADC 2 and ADC 3. After remediation is complete, you can run an on-demand scan to see the revised security posture.