Release notes for Citrix ADM service July 14, 2021 release
This release notes document describes the enhancements and changes, fixed and known issues that exist for the Citrix ADM service release build July 14, 2021.
This release notes document does not include security related fixes. For a list of security related fixes and advisories, see the Citrix security bulletin.
The enhancements and changes that are available in build July 14, 2021.
Support for identification and remediation of CVE-2021-22919, CVE-2021-22927, and CVE-2021-22920
Citrix ADM security advisory now supports identification and remediation of three new CVEs: CVE-2021-22919, CVE-2021-22927, and CVE-2021-22920.
Remediation for CVE-2021-22919 requires an upgrade of the vulnerable ADC instances to a release and build that has the fix. Remediation for CVE-2021-22927, and CVE-2021-22920 requires a two-step process:
- Upgrade the vulnerable ADC instance to a release and build that has the fix.
- Apply configuration jobs.
For more information about how to remediate CVE-2021-22919 and other CVEs, see Security Advisory
For more information about security advisory and how to remediate CVE-2021-22927 and CVE-2021-22920, see Remediate vulnerabilities for CVE-2021-22927 and CVE-2021-22920.
For details about how to remediate CVE-2020-8300, see Remediate vulnerabilities for CVE-2020-8300.
It might take a couple of hours for security advisory system scan to conclude and reflect the impact of CVE-2021-22919, CVE-2021-22927, and CVE-2021-22920 in the security advisory module. To see the impact sooner, start an on-demand scan by clicking Scan-Now.
Splunk integration to view security violations
You can now integrate Citrix ADM service with Splunk to view analytics for WAF and Bot violations in your Splunk dashboard. Splunk add-on enables you to:
Combine all other external data sources
Provide greater visibility of analytics in a centralized place
Citrix ADM collects Bot and WAF events and sends to Splunk periodically. The Splunk Common Information Model (CIM) add-on converts the events to CIM compatible data. As an administrator, using the CIM compatible data, you can view the WAF and Bot violations in the Splunk dashboard.
For more information, see Splunk integration
Hide idle services in service graph for microservices
In service graph for microservices, you can now select the Hide Idle Services option from Settings. When you select this option, the services without traffic or transactions with other services are hidden from the service graph.
As a result, you can monitor with ease only the active services.
Deliver a Google cloud application in three steps at your first login
When you log on to the ADM GUI for the first time, you can deliver an application that is in Google Cloud using ADC instances in just three steps. And, this option is called the Smart Deployment. Earlier, this option was available only for AWS and Microsoft Azure applications.
Register your Google Cloud account with ADM service by creating a Cloud Access Profile.
Prepare your Google Cloud environment by specifying the region, virtual network details, and ADC licenses.
The Google Cloud environment comprises Google Cloud infrastructure, ADM agent, and ADM Autoscale group. In this step, the ADM creates the following:
A Google Cloud Deployment Manager to create the required infrastructure that includes subnets, security groups, NAT gateways, and so on.
An ADM Agent in the virtual network to manage ADC instances
An ADC Autoscale group. You can customize this group later in the Infrastructure > Public Cloud > Autoscale Groups page.
After successful environment preparation, configure applications using StyleBooks to deliver your application.
After the first logon, if you want to Autoscale ADC instances, see Autoscaling of Citrix ADC using Citrix ADM. For more information, see Getting Started.
Specify parameter conditions in a StyleBook definition
Parameters conditions are used to modify the behavior of certain parameters in the StyleBook definition. Parameters in a StyleBook definition are the input provided to create a configuration pack. Use
parameters-conditions to define a parameter condition in the definition. The parameter condition has the following attributes:
target: Specify the target parameter to which you want to apply an action. You can specify multiple target parameters.
action: Specify what action to take on the target parameters.
condition: Optional, specify a condition to apply an action for the specified target parameters. If you do not specify a condition, the action is directly applied on the target parameters.
value: Set the values for the target parameters attribute depending on the action.
For example, the SSL certificate files are optional in a StyleBook. When the SSL protocol is selected, you can specify a parameter condition to convert this optional field to a mandatory field. So, this condition ensures no configuration packs are created without certificate files.
For example, the SSL certificate files are optional in a StyleBook. When the SSL protocol is selected, you can specify a parameter condition to convert this optional field to mandatory field. So, this condition ensures no configuration packs are created without certificate files.
parameters-conditions: - target: $parameters.certificates action: set-required condition: $parameters.lb-service-type == "SSL" <!--NeedCopy-->
Currently, the parameter conditions cannot be applied for the parameters within list objects.
StyleBook definition supports a splat expression
A splat expression [*] provides a simpler way to retrieve a certain attribute from a complex list for all the iterations. You can now include splat expressions in a StyleBook definition. Earlier, you had to specify a “repeat” construct to retrieve the same information.
This expression iterates over all the items of the list specified to its left and returns the attribute value specified to its right. When you want to retrieve an IP address or host name of each virtual server from the list, you can use the following splat expressions:
$parameters.server-members[*].hostname. This expression returns a list of host names from all the server-members.
$parameters.server-members[*].sub-domains[*].name. This expression returns a list of all names under the subdomains of each server-members.
These expressions always return the list of the right-most element type.
Set up license expiry notifications for SSL certificates installed using StyleBooks
You can now set up notifications for expiry of SSL certificates that are uploaded by using ADM StyleBooks and stored in Certificate Store. Previously, you were able to set up notifications for SSL certificates installed using only the SSL dashboard (ADM GUI > Infrastructure > SSL Dashboard) option.
For more information about how to set up notifications, see Set up notifications for SSL certificate expiry.
For more information about how to upload SSL certificates using StyleBooks, see Create configurations to upload SSL files.
Select the ADC CLI commands option to configure an Autoscale group application
When configuring an application for the Autoscale group, you can now select the ADC CLI commands option on the GUI. Earlier, a confirmation message was appearing to configure the application using StyleBooks. If you select No, then only you were able to specify ADC CLI commands.
The issues that are addressed in Build July 13, 2021.
In App Dashboard, when you drill down an application and in the Web Insight tab, the See more option under Clients does not work. This issue is also observed in Applications > Web Insight.
Under Infrastructure > Instance Advisory > Security Advisory, when you click Proceed to upgrade workflow to upgrade a vulnerable Citrix CPX instance, an error message appears. This issue happens because the ADM upgrade workflow supports only MPX, SDX, and VPX instances.
With this fix, a separate CPX column is added under Current CVEs > ADC instances are impacted by CVEs. To upgrade a vulnerable CPX instance, see Upgrade CPX.
In App Dashboard, the application details page displays current day’s data as next day’s data. This issue occurs when you select an interval greater than one day. And, it is observed only under App score and Issue sections.
Security advisory does not have the complete capability to identify vulnerable ADC CPX instances correctly, and it might show false positives. Recommendation: Do not use security advisory for CPX instances.