Identify and remediate vulnerabilities for CVE-2021-22956
In the Citrix ADM security advisory dashboard, under Current CVEs >
<number of> ADC instances are impacted by common vulnerabilities and exposures (CVEs), you can see all the instances vulnerable due to this specific CVE. To check the details of the CVE-2021-22956 impacted instances, select CVE-2021-22956 and click View Affected Instances.
<number of> ADC instances impacted by CVEs window appear. Here you see the count and details of the ADC instances impacted by CVE-2021-22956.
For more information about the security advisory dashboard see, Security Advisory.
It might take some time for security advisory system scan to conclude and reflect the impact of CVE-2021-22956 in the security advisory module. To see the impact sooner, start an on-demand scan by clicking Scan-Now.
Identify CVE-2021-22956 impacted instances
CVE-2021-22956 requires a custom scan, in which ADM service connects with the managed ADC instance, pushes a script to the instance. The script runs on the ADC instance and checks the Apache configuration file (
httpd.conf file) and maximum client connections (
maxclient) parameters to determine if an instance is vulnerable or not. The information the script shares with ADM service is the vulnerability status in Boolean (true or false). The script also gives back to ADM service a list of counts for max_clients for different network interfaces, for example local host, NSIP, and SNIP with management access. You can see a detailed report of this list in the CSV file that you can download from the Scan Logs tab on Security Advisory page.
This script runs every time your scheduled or on-demand scan runs. After the scan is completed, the script is deleted from the ADC instance.
For CVE-2021-22956 -impacted ADC instances, the remediation is a two-step process. In the GUI, under Current CVEs > ADC instances are impacted by CVEs, you can see step 1 and 2.
The two steps include:
Upgrading the vulnerable ADC instances to a release and build that has the fix.
Applying the required configuration commands using the customizable built-in configuration template in configuration jobs.
Under Current CVEs> ADC instances impacted by CVEs, you see two separate workflows for this 2-step remediation process: which are Proceed to upgrade workflow and Proceed to configuration job workflow.
Step 1: Upgrade the vulnerable ADC instances
To upgrade the vulnerable instances, select the instances and click Proceed to upgrade workflow. The upgrade workflow opens with the vulnerable ADC instances already populated.
For more information on how to use Citrix ADM to upgrade ADC instances, see Create an ADC upgrade job.
This step can be done at once for all the vulnerable ADC instances.
Step 2: Apply configuration commands
After you’ve upgraded the impacted instances, in the
<number of> ADC instances impacted by CVEs window, select the instance impacted by CVE-2021-2295 and click Proceed to configuration job workflow. The workflow includes the following steps.
- Customizing the configuration.
- Reviewing the auto-populated impacted instances.
- Specifying inputs for variables for the job.
- Reviewing the final config with variable inputs populated.
- Running the job.
Keep the following points in mind before you select an instance and click Proceed to configuration job workflow:
For an ADC instance impacted by multiple CVEs (such as CVE-2020-8300, CVE-2021-22927, CVE-2021-22920, and CVE-2021-22956): when you select the instance and click Proceed to configuration job workflow, the built-in configuration template does not auto-populate under Select configuration. Drag and drop the appropriate config job template under Security Advisory Template manually to the config job pane on the right side.
For multiple ADC instances that are impacted by CVE-2021-22956 only: you can run config jobs on all instances at once. For example, you’ve ADC 1, ADC 2, and ADC 3, and all of them are impacted only by CVE-2021-22956. Select all these instances and click Proceed to configuration job workflow, and the built-in configuration template auto-populates under Select configuration. Refer to the known issue NSADM-80913 in the release notes.
For multiple ADC instances impacted by CVE-2021-22956 and one or more other CVEs (such as CVE-2020-8300, CVE-2021-22927, and CVE-2021-22920), which require remediation to be applied to each ADC at a time: when you select these instances and click Proceed to configuration job workflow, an error message appears telling you to run the config job on each ADC at a time.
Step 1: Select configuration
In the configuration job workflow, the built-in configuration base template auto-populates under Select configuration.
Step 2: Select the instance
The impacted instance is auto-populated under Select Instances. Select the instance. If this instance is part of an HA pair, select Execute on Secondary Nodes. Click Next.
For ADC instances in cluster mode, using ADM security advisory, ADM supports running the config job only on the cluster configuration coordinator (CCO) node. Run the commands on non-CCO nodes separately.
rc.netscaler is synced across all HA and cluster nodes, making the remediation persistent after each restart.
Step 3: Specify variable values
Enter the variable values.
Select one of the following options to specify variables for your instances:
Common variable values for all instances: Enter a common value for the variable
Upload input file for variables values: Click Download Input Key File to download an input file. In the input file, enter values for the variable
max_client and then upload the file to the ADM server. Refer to the known issue NSADM-80913 in the release notes notes about an issue with this option.
For both options mentioned above, the recommended
max_clientvalue is 30. You can set the value according to your present value. However, it should not be zero, and it should be less than or equal to the max_client set in the
/etc/httpd.conffile. You can check the present value set in the Apache HTTP Server configuration file
/etc/httpd.confby searching the string
MaxClients, in the ADC instance
Step 4: Preview the configuration
Previews the variable values having been inserted in the config and click Next.
Step 5: Run the job
Click Finish to run the configuration job.
After the job is run, it appears under Infrastructure > Configuration > Configuration Jobs.
After completing the two remediation steps for all vulnerable ADCs, you can run an on-demand scan to see the revised security posture.