Overview

A vulnerability has been recently disclosed in OpenSSL that could result in remote attackers being able to obtain sensitive data from the process address space of a vulnerable OpenSSL server or client.

The issue has been assigned the following CVE identifier and is also known as the Heartbleed vulnerability:

CVE-2014-0160: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160

What Citrix is Doing

Citrix has analyzed the impact of this issue on currently supported products. The following sections of this advisory provide impact information on each product.

Products That Require Citrix Updates:

• HDX RealTime Optimization Pack for Microsoft Lync 2010: This component is vulnerable to CVE-2014-0160. An updated version of this component has been released to address this issue. Citrix recommends customers deploy these patches as soon as possible. These patches can be found on our website at the following locations: o Windows - https://support.citrix.com/article/CTX140719 o Mac - https://support.citrix.com/article/CTX140730 o Linux - https://support.citrix.com/article/CTX140732 • Citrix XenMobile App Controller: XenMobile App Controller versions 2.9 and 2.10 are vulnerable to CVE-2014-0160. Patches have been released to address this issue for both App controller 2.9 and 2.10. Citrix recommends that customers deploy these patches as soon as possible. These patches are available from the following location: https://www.citrix.com/downloads/xenmobile/product-software.html . Further information on this can be found in the following blog post: http://blogs.citrix.com/2014/04/15/citrix-xenmobile-security-advisory-for-heartbleed/ . • Citrix XenMobile MDX Toolkit & SDK: MDX Toolkit and SDK Versions 2.2.1 (XenMobile 8.6.1) and 2.3.61 (XenMobile 8.7) use a vulnerable version of OpenSSL when wrapping iOS applications. Enterprise-ready mobile apps on the Worx App Gallery that use this version of Worx SDK also use a vulnerable version of OpenSSL. Outgoing micro VPN network connections to Access Gateway from iOS applications that were wrapped, or Worx SDK enabled, with this version will be encapsulated in a TLS connection that uses a vulnerable version of OpenSSL. Citrix has released a new version of the MDX Toolkit & SDK for iOS and Android Build MDX Toolkit; this can be found on the Citrix website at the following address: https://www.citrix.com/downloads/xenmobile/product-software.html . Wrapped Android applications make use of the underlying Android version of OpenSSL, Citrix advises customers to check with their device vendors to ensure that the underlying Android version is not vulnerable to CVE-2014-0160. • Citrix XenMobile Worx components for iOS: Worx Home for iOS version 8.7 uses a vulnerable version of OpenSSL. A new version of this software, 8.7.1.27, can be downloaded from the Apple App Store at the following address: https://itunes.apple.com/us/app/worx-home/id434682528?mt=8 . Customers that are using wrapped versions of iOS Worx applications are also advised to review the guidance on the MDX Toolkit given above. • Receiver for BlackBerry: The Receiver for BlackBerry 10 version 2.0.0.21 is vulnerable to CVE-2014-0160. A new version of the Receiver for BlackBerry 10, 2.0.0.22, can be downloaded from the BlackBerry World website at the following address: http://appworld.blackberry.com/webstore/content/34621918 . Receiver for PlayBook version 1.0.0 and Receiver for BlackBerry version 2.2 are not vulnerable to CVE-2014-0160. • Citrix Licensing: The Citrix License Server for Windows version 11.11.1, the Citrix License Server VPX version 11.12 and the Citrix Usage Collector are vulnerable to CVE-2015-0160. New versions of the License Server for Windows , 11.11.1.13017, and the License Server VPX, 11.12.14001, can be downloaded from the Citrix website at the following address: https://www.citrix.com/downloads/licensing/license-server.html • Citrix CloudPlatform: The TLS interface exposed by the Secondary Storage VM in Cloud Platform versions 4.2.0, 4.2.1-x and 4.3.0.0 use a version of OpenSSL that is vulnerable to CVE-2014-0160. Citrix has released updated system virtual machine templates to resolve this issue. Citrix recommends that customers update the system virtual machine templates to a patched version and then reboot any Secondary Storage VMs to ensure that the updated OpenSSL version is being used. Instructions on updating the system virtual machine templates can be found in the following Citrix knowledge base article https://support.citrix.com/article/CTX200024 . • Citrix XenClient XT: XenClient XT versions 3.1.4, 3.2.0, and 3.2.1 are vulnerable to CVE-2014-0160. A new version of XenClient XT, 3.2.2, is available on the Citrix website at the following address: https://www.citrix.com/downloads/xenclient/product-software/xenclient-xt-322.html . The XenClient XT Synchronizer makes use of the platform provided OpenSSL library. Customers are advised to verify that the version of OpenSSL installed on the underlying Linux Operating System is not vulnerable to CVE-2014-0160. • Citrix XenClient Enterprise: Some versions of XenClient Enterprise Engine are vulnerable to CVE-2014-0160. In deployments where the XenClient Synchronizer is only accessed via fully trusted networks, the level of exposure is reduced. The TLS libraries used by currently supported versions of the XenClient Enterprise Synchronizer are not vulnerable to CVE-2014-0160. The following versions of XenClient Enterprise Engine are vulnerable to CVE-2014-0160: o 4.1.0, 4.1.1, 4.1.2, 4.1.3, and 4.1.4. Citrix has released a new version of the XenClient Enterprise engine, 4.1.5. This can be found at the following address: https://www.citrix.com/downloads/xenclient/product-software/xenclient-enterprise-41.html o 4.5.1, 4.5.2, 4.5.3, 4.5.4, and 4.5.5. Citrix has released a new version of the XenClient Enterprise engine, 4.5.6. This can be found at the following address: https://www.citrix.com/downloads/xenclient/product-software/xenclient-enterprise-45 o 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4 and 5.0.5. Citrix has released a new version of the XenClient Enterprise engine, 5.0.6. This can be found at the following address: https://www.citrix.com/downloads/xenclient/product-software/xenclient-enterprise-50.html o 5.1.0, and 5.1.1. Citrix has released a new version of XenClient Enterprise, 5.1.2. This can be found at the following address: https://www.citrix.com/downloads/xenclient/product-software/xenclient-enterprise-51.html . • Citrix DesktopPlayer for Mac: DesktopPlayer for Mac version 1.0.x up to and including version 1.0.3 is vulnerable to CVE-2014-0160. A new version of the Desktop Player for Mac, 1.0.4, is available on the Citrix website at the following address: https://www.citrix.com/downloads/desktopplayer-for-mac/product-software/desktopplayer-for-mac-10.html . The TLS libraries used by currently supported versions of the DesktopPlayer Synchronizer are not vulnerable to CVE-2014-0160.

Products That May Require Third Party Updates:

• Citrix XenDesktop 7.5: Customers deploying Virtual Desktop Agents that are hosted on Citrix CloudPlatform are advised to verify that the volume worker template is using a version of OpenSSL that is not vulnerable to CVE-2014-0160. Setup instructions for the volume worker template on CloudPlatform can be found in the following document: https://support.citrix.com/article/CTX140428 . Amazon Web Services based deployments use the Linux AMI template. Guidance from Amazon covering VMs based on this template can be found at the following location: https://aws.amazon.com/amazon-linux-ami/security-bulletins/ALAS-2014-320/ . • Citrix Receiver for Android: Receiver for Android makes use of the OpenSSL library provided by the underlying Android platform. Citrix advises customers to check with their device vendors to ensure that the underlying Android version is not vulnerable to CVE-2014-0160. An initial statement by Google on Android can be found here: http://googleonlinesecurity.blogspot.co.uk/2014/04/google-services-updated-to-address.html . • Citrix XenMobile Worx components for Android: Worx components running on Android make use of the OpenSSL library provided by the underlying Android platform. Citrix advises customers to check with their device vendors to ensure that the underlying Android version is not vulnerable to CVE-2014-0160. An initial statement from Google on Android can be found here: http://googleonlinesecurity.blogspot.co.uk/2014/04/google-services-updated-to-address.html . • Citrix Receiver for Linux: The TLS libraries included in currently supported versions of Receiver for Linux are not vulnerable to CVE-2014-0160. Version 13.0 of the Receiver for Linux also makes use of the platform provided OpenSSL library. Customers using this version are advised to ensure that the version of OpenSSL installed on the underlying Linux Operating System is not vulnerable to CVE-2014-0160. • Citrix Web Interface: Web Interface makes use of the TLS functionality provided by the underlying web server. Citrix customers are advised to verify that any deployed web servers used to host Web Interface are not vulnerable to this issue. Web Interface can also use a built-in TLS library to make outgoing TLS connections, this library is not vulnerable to CVE-2014-0160. • Citrix CloudPortal Business Manager: This product does not include any TLS libraries and, as such, is not vulnerable to CVE-2014-0160. Some customer deployments may make use of an additional SSL proxy component; Citrix advises customers to contact the vendors of any SSL proxy components being used to determine if they are vulnerable to CVE-2014-0160.

Products That Are Not Impacted:

• Citrix Provisioning Services: Currently supported versions of Citrix Provisioning Services are not affected by CVE-2014-0160. • Citrix XenServer: The TLS libraries used by currently supported versions of XenServer are not vulnerable to CVE-2014-0160. • Citrix VDI-in-a-Box: The TLS libraries used by currently supported versions of VIAB are not vulnerable to CVE-2014-0160. • Citrix XenMobile MDM Edition: The TLS libraries used by components of XenMobile MDM edition, including the XenMobile Device Manager component, are not vulnerable to CVE-2014-0160. • Citrix CloudPortal Services Manager: The TLS libraries used by currently supported versions of CloudPortal Services Manager are not vulnerable to CVE-2014-0160. • Citrix Receiver for Windows: The TLS libraries used by currently supported versions of Receiver for Windows are not vulnerable to CVE-2014-0160. • Citrix Receiver for Mac: The TLS libraries used by currently supported versions of Receiver for Mac are not vulnerable to CVE-2014-0160. • Citrix Receiver for iOS: The TLS libraries used by currently supported versions of Receiver for iOS are not vulnerable to CVE-2014-0160. • Citrix ByteMobile: The TLS libraries used by currently supported versions of ByteMobile are not vulnerable to CVE-2014-0160. • Citrix NetScaler: The TLS libraries used by currently supported versions of the NetScaler product are not vulnerable to CVE-2014-0160. • Citrix Access Gateway: The TLS libraries used by currently supported versions of Access Gateway are not vulnerable to CVE-2014-0160. • Citrix CloudBridge: The TLS libraries used by currently supported versions of Citrix CloudBridge, including client components, are not vulnerable to CVE-2014-0160. • Citrix Secure Gateway (CSG): The TLS library used by the currently supported version of CSG is not vulnerable to CVE-2014-0160. • Citrix XenApp SSLRelay Component: The TLS libraries used by currently supported versions of the XenApp SSLRelay are not vulnerable to CVE-2014-0160. • Citrix Single Sign-on, previously known as Password Manager: The TLS libraries used by currently supported versions of Citrix Single Sign-on are not vulnerable to CVE-2014-0160. • Citrix StoreFront: The TLS library used by currently supported versions of Citrix Storefront is not vulnerable to CVE-2014-0160. • Citrix Merchandising Server: The TLS library used by the currently supported version of Citrix Merchandising Server is not vulnerable to CVE-2014-0160.

Obtaining Support on This Issue

If you require technical assistance with this issue, please contact Citrix Technical Support. Contact details for Citrix Technical Support are available at http://www.citrix.com/site/ss/supportContacts.asp . More information on the support status of Citrix products can be found on our website at the following address: http://www.citrix.com/support/product-lifecycle/product-matrix.html .

Reporting Security Vulnerabilities to Citrix

Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. Citrix welcomes input regarding the security of its products and considers any and all potential vulnerabilities seriously. For guidance on how to report security-related issues to Citrix, please see the following document: CTX081743 – Reporting Security Issues to Citrix