The distributed computing vendor patched the flaw, affecting Citrix ADC and Gateway, along with another flaw impacting availability for SD-WAN appliances.
A critical security bug in the Citrix Application Delivery Controller (ADC) and Citrix Gateway could allow cyberattackers to crash entire corporate networks without needing to authenticate.
The two affected Citrix products (formerly the NetScaler ADC and Gateway) are used for application-aware traffic management and secure remote access, respectively. The federated working specialist pushed out a security patch on Tuesday for the vulnerability, tracked as CVE-2021-22955, which allows unauthenticated denial of service (DoS), due to uncontrolled resource consumption, according to the advisory.
Citrix also addressed a lower-severity bug that is likewise due to uncontrolled resource consumption. It impacts both previous products, as well as the Citrix SD-WAN WANOP Edition appliance. The latter provides optimization for Citrix SD-WAN deployments, which enable secure connectivity and seamless access to virtual, cloud and software-as-a-service (SaaS) apps across enterprise and branch locations.
Tracked as CVE-2021-22956, the second flaw allows temporary disruption of: A device’s management GUI; the Nitro API for configuring and monitoring NetScaler appliances programmatically;