Tackling vulnerabilities to keep your business running

Citrix uses third-party components within our products and, as part of Citrix commitment to customer security, incorporates relevant security improvements into Citrix software updates. Citrix therefore recommends customers always use the most recent release of a currently maintained version of Citrix software or firmware, to ensure they benefit from the latest security updates. Please see the Citrix product matrix for information on lifecycle of Citrix products.

If information is needed on the impact of a CVE on a Citrix product or service, please raise a support request through your normal Citrix support channel. Please include the Common Vulnerabilities and Exposures (CVE) reference (https://nvd.nist.gov) or the relevant security bulletin article number when submitting the request.

Citrix publishes security bulletins to provide remediation information about security vulnerabilities in customer-managed Citrix products which have been reported to Citrix through the vulnerability response program. Citrix may also publish a security bulletin to inform customers of other events affecting Citrix products, for example, if a critical third-party CVE impacts a Citrix product or a dedicated hotfix is released to address a vulnerability.

Citrix will usually publish a security bulletin once software patches or workarounds exist in all versions of a product that have not yet reached End of Maintenance. In limited circumstances, including where Citrix has observed active exploitation of a vulnerability or where public awareness of a vulnerability could lead to increased risk for Citrix customers, a security bulletin may be published before a complete set of patches or workarounds have been released so that we may alert customers and provide advice on how to mitigate the associated risks. In order to help customers plan to perform any applicable updates, Citrix typically publishes security bulletins on the second Tuesday of a month but may choose to publish or update an article on a different day if we believe it’s in the best interest of our customers to do so.

Citrix classifies security bulletins as Critical, High, Medium, Low, or Informational according to the risk that Citrix determines a vulnerability represents to our customers. Citrix will calculate the risk of a vulnerability considering the CVSS method, but may modify scoring to reflect specific circumstances including, but not limited to, complexity of exploitation and available mitigations. Citrix recommends that customers apply security fixes/patches as soon as possible following their release.

For the safety of all our customers, Citrix does not disclose any technical details about vulnerabilities beyond those contained within a security bulletin. For any other information, please raise a support request through your normal Citrix support channel. Please include the relevant Citrix security bulletin article number when submitting the request.

Citrix Security bulletins are published and disclosed to customers and the public simultaneously. However, Citrix provides annadvanced notification of upcoming bulletins to a limited group of customers.

When able to do so, Citrix will notify enrolled customers of an upcoming Security bulletin 1-2 weeks prior to the public release date, to aid them in the planning of update activities. The notification will contain the name of the affected product, affected version (major versions only), criticality of the vulnerability and expected date of release.

Pre-notification of upcoming Citrix Security bulletins is available to customers and partners that meet the following criteria: 

• Be using customer-managed Citrix products  (i.e., not in Citrix Cloud)
• Have a Citrix Unified Services customer
• Have a Citrix user base of 10,000 or more users OR be managing critical infrastructure. Examples of critical infrastructure include: 
  • Cloud platform providers 
  • Service platform provider 
  • Healthcare-based ISVs
  • Financial Services
  • Energy Sector
  • Government Departments
  • Transportation
• Have NOT been previously disqualified from the pre-disclosure program

Customers wishing to be enrolled to the Pre-notification program should contact their Account Technology Specialiast (ATS) who will apply to join the pre-notification program on their behalf.

Customers must sign and return the Citrix pre-disclosure program non-disclosure agreement; the agreement is valid only upon execution by the Citrix Chief Information Security Officer or Chief Digital Risk Officer.