You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@guacamole.apache.org by Mike Jumper <mj...@apache.org> on 2022/01/11 21:21:26 UTC

[SECURITY] CVE-2021-41767: Apache Guacamole: Private tunnel identifier may be included in the non-private details of active connections

Severity: moderate

Description:

Apache Guacamole 1.3.0 and older may incorrectly include a private
tunnel identifier in the non-private details of some REST responses.
This may allow an authenticated user who already has permission to
access a particular connection to read from or interact with another
user's active use of that same connection.

Credit:

We would like to thank Damian Velardo (Australia and New Zealand
Banking Group) for reporting this issue.

RE: [SECURITY] CVE-2021-41767: Apache Guacamole: Private tunnel identifier may be included in the non-private details of active connections

Posted by rs...@krf.biglobe.ne.jp.

Thank you for your reply. 

We will consider upgrading the version.

Thank you,
Tadashi
> -----Original Message-----
> From: Mike Jumper <mj...@apache.org>
> Sent: Thursday, January 13, 2022 10:19 AM
> To: user@guacamole.apache.org
> Subject: Re: [SECURITY] CVE-2021-41767: Apache Guacamole: Private tunnel
> identifier may be included in the non-private details of active connections
> 
> On Wed, Jan 12, 2022 at 4:52 PM <rs...@krf.biglobe.ne.jp> wrote:
> >
> > Hello,
> >
> > Can this vulnerability be protected by a WAF such as Modseurity?
> >
> 
> I would not recommend relying solely on a WAF to defend against a known issue in
> any application. With the issue in question being patched in the latest release (1.4.0),
> your best option is to upgrade to 1.4.0 and thus deploy the relevant patch.
> 
> - Mike
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
> For additional commands, e-mail: user-help@guacamole.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org

Re: [SECURITY] CVE-2021-41767: Apache Guacamole: Private tunnel identifier may be included in the non-private details of active connections

Posted by Mike Jumper <mj...@apache.org>.

On Wed, Jan 12, 2022 at 4:52 PM <rs...@krf.biglobe.ne.jp> wrote:
>
> Hello,
>
> Can this vulnerability be protected by a WAF such as Modseurity?
>

I would not recommend relying solely on a WAF to defend against a
known issue in any application. With the issue in question being
patched in the latest release (1.4.0), your best option is to upgrade
to 1.4.0 and thus deploy the relevant patch.

- Mike

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org

RE: [SECURITY] CVE-2021-41767: Apache Guacamole: Private tunnel identifier may be included in the non-private details of active connections

Posted by rs...@krf.biglobe.ne.jp.

Hello,

 

Can this vulnerability be protected by a WAF such as Modseurity?

 

From: Nick Couchman <vn...@apache.org> 
Sent: Thursday, January 13, 2022 6:33 AM
To: user@guacamole.apache.org
Subject: Re: [SECURITY] CVE-2021-41767: Apache Guacamole: Private tunnel identifier may be included in the non-private details of active connections

 

On Wed, Jan 12, 2022 at 4:28 PM guacatoine <guacamole.toine@placi.de <ma...@placi.de> > wrote:


Hello,

Le 11/01/2022 à 22:21, Mike Jumper - mjumper@apache.org <ma...@apache.org>  a écrit :
> Severity: moderate

When running Apache Guacamole 1.3.0, is the only way of addressing 
CVE-2021-41767 to update to v1.4.0 or is there a security patch incoming 
for one (or more lower) version(s) of Guacamole?

 

We do not plan to release patches for lower versions. Essentially, 1.4.0 is the patch.

 

If you really need to maintain a lower version, you could try to back-port the patch(es) that specifically address the issue to that version, but that's a lot of manual work versus just upgrading to the latest version.

 

-Nick

Re: [SECURITY] CVE-2021-41767: Apache Guacamole: Private tunnel identifier may be included in the non-private details of active connections

Posted by Mike Jumper <mj...@apache.org>.

On Tue, Jan 18, 2022, 01:44 Antoine G. <gu...@placi.de> wrote:

> On 12/01/2022 22:32, Nick Couchman - vnick@apache.org wrote:
> > We do not plan to release patches for lower versions. Essentially, 1.4.0
> > is the patch.
>
> Thank you for your answer.
>
> Just to be sure I understand the CVE and the stack, do you confirm that
> technically, upgrading only guacamole-client to 1.4.0 (and leaving guacd
> in 1.3.0) is enough to patch the CVE?
>

Yes.

- Mike

Re: [SECURITY] CVE-2021-41767: Apache Guacamole: Private tunnel identifier may be included in the non-private details of active connections

Posted by "Antoine G." <gu...@placi.de>.

On 12/01/2022 22:32, Nick Couchman - vnick@apache.org wrote:
> We do not plan to release patches for lower versions. Essentially, 1.4.0 
> is the patch.

Thank you for your answer.

Just to be sure I understand the CVE and the stack, do you confirm that 
technically, upgrading only guacamole-client to 1.4.0 (and leaving guacd 
in 1.3.0) is enough to patch the CVE?

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org

Re: [SECURITY] CVE-2021-41767: Apache Guacamole: Private tunnel identifier may be included in the non-private details of active connections

Posted by Nick Couchman <vn...@apache.org>.

On Wed, Jan 12, 2022 at 4:28 PM guacatoine <gu...@placi.de> wrote:

>
> Hello,
>
> Le 11/01/2022 à 22:21, Mike Jumper - mjumper@apache.org a écrit :
> > Severity: moderate
>
> When running Apache Guacamole 1.3.0, is the only way of addressing
> CVE-2021-41767 to update to v1.4.0 or is there a security patch incoming
> for one (or more lower) version(s) of Guacamole?
>
>
We do not plan to release patches for lower versions. Essentially, 1.4.0 is
the patch.

If you really need to maintain a lower version, you could try to back-port
the patch(es) that specifically address the issue to that version, but
that's a lot of manual work versus just upgrading to the latest version.

-Nick

Re: [SECURITY] CVE-2021-41767: Apache Guacamole: Private tunnel identifier may be included in the non-private details of active connections

Posted by guacatoine <gu...@placi.de>.

Hello,

Le 11/01/2022 à 22:21, Mike Jumper - mjumper@apache.org a écrit :
> Severity: moderate

When running Apache Guacamole 1.3.0, is the only way of addressing 
CVE-2021-41767 to update to v1.4.0 or is there a security patch incoming 
for one (or more lower) version(s) of Guacamole?

Thank you,
Toine

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org

Re: [SECURITY] CVE-2021-41767: Apache Guacamole: Private tunnel identifier may be included in the non-private details of active connections

Posted by Mike Jumper <mj...@apache.org>.

On Wed, Jan 12, 2022, 01:41 Jürgen Kuri <ju...@ionos.com> wrote:

> El 11.01.22 a las 22:21, Mike Jumper escribió:
> > Severity: moderate
> >
> > Description:
> >
> > Apache Guacamole 1.3.0 and older may incorrectly include a private
> > tunnel identifier in the non-private details of some REST responses.
> > This may allow an authenticated user who already has permission to
> > access a particular connection to read from or interact with another
> > user's active use of that same connection.
> >
> > Credit:
> >
> > We would like to thank Damian Velardo (Australia and New Zealand
> > Banking Group) for reporting this issue.
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
> > For additional commands, e-mail: user-help@guacamole.apache.org
> >
> Hello,
>
> which component is affected here, backend (guacd) or frontend (.war) or
> both?
>

The web application (.war).

- Mike

Re: [SECURITY] CVE-2021-41767: Apache Guacamole: Private tunnel identifier may be included in the non-private details of active connections

Posted by Jürgen Kuri <ju...@ionos.com>.

El 11.01.22 a las 22:21, Mike Jumper escribió:
> Severity: moderate
> 
> Description:
> 
> Apache Guacamole 1.3.0 and older may incorrectly include a private
> tunnel identifier in the non-private details of some REST responses.
> This may allow an authenticated user who already has permission to
> access a particular connection to read from or interact with another
> user's active use of that same connection.
> 
> Credit:
> 
> We would like to thank Damian Velardo (Australia and New Zealand
> Banking Group) for reporting this issue.
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
> For additional commands, e-mail: user-help@guacamole.apache.org
> 
Hello,

which component is affected here, backend (guacd) or frontend (.war) or both?

-- 
Thanks
Jürgen

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org