RE: [SECURITY] CVE-2021-41767: Apache Guacamole: Private tunnel identifier may be included in the non-private details of active connections

2022-01-12 Thread rst_pi_sisk10.vi 
Thank you for your reply. 

We will consider upgrading the version.

Thank you,
Tadashi
> -Original Message-
> From: Mike Jumper 
> Sent: Thursday, January 13, 2022 10:19 AM
> To: user@guacamole.apache.org
> Subject: Re: [SECURITY] CVE-2021-41767: Apache Guacamole: Private tunnel
> identifier may be included in the non-private details of active connections
> 
> On Wed, Jan 12, 2022 at 4:52 PM  wrote:
> >
> > Hello,
> >
> > Can this vulnerability be protected by a WAF such as Modseurity?
> >
> 
> I would not recommend relying solely on a WAF to defend against a known issue 
> in
> any application. With the issue in question being patched in the latest 
> release (1.4.0),
> your best option is to upgrade to 1.4.0 and thus deploy the relevant patch.
> 
> - Mike
> 
> -
> To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
> For additional commands, e-mail: user-h...@guacamole.apache.org


-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

RE: [SECURITY] CVE-2021-41767: Apache Guacamole: Private tunnel identifier may be included in the non-private details of active connections

2022-01-12 Thread rst_pi_sisk10.vi 
Hello,

 

Can this vulnerability be protected by a WAF such as Modseurity?

 

From: Nick Couchman  
Sent: Thursday, January 13, 2022 6:33 AM
To: user@guacamole.apache.org
Subject: Re: [SECURITY] CVE-2021-41767: Apache Guacamole: Private tunnel 
identifier may be included in the non-private details of active connections

 

On Wed, Jan 12, 2022 at 4:28 PM guacatoine mailto:guacamole.to...@placi.de> > wrote:


Hello,

Le 11/01/2022 à 22:21, Mike Jumper - mjum...@apache.org 
  a écrit :
> Severity: moderate

When running Apache Guacamole 1.3.0, is the only way of addressing 
CVE-2021-41767 to update to v1.4.0 or is there a security patch incoming 
for one (or more lower) version(s) of Guacamole?

 

We do not plan to release patches for lower versions. Essentially, 1.4.0 is the 
patch.

 

If you really need to maintain a lower version, you could try to back-port the 
patch(es) that specifically address the issue to that version, but that's a lot 
of manual work versus just upgrading to the latest version.

 

-Nick

RE: About using MariaDB Connector/J

2021-10-27 Thread rst_pi_sisk10.vi 
Thank you for your instructions and replies.

Create an issue in jira.

 

Thank you.

 

From: Nick Couchman  
Sent: Wednesday, October 27, 2021 7:31 PM
To: user@guacamole.apache.org
Subject: Re: About using MariaDB Connector/J

 

On Wed, Oct 27, 2021 at 3:06 AM mailto:rst_pi_sisk10...@krf.biglobe.ne.jp> > wrote:

I haven't received a reply to the following emails yet.
Did you make a rude statement?

If so, I'm sorry.
I want to contribute as much as possible to the Guacamole project.

Also, by changing the following sources
SSL communication was successful as expected.

★MySQLAuthenticationProviderModule.java

guacamole-client/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-
mysql/src/main/java/org/apache/guacamole/auth/mysql/MySQLAuthenticationProvi
derModule.java

★Change before
 90// For compatibility, set legacy useSSL property when SSL is
disabled.
 91if (sslMode == MySQLSSLMode.DISABLED)
 92driverProperties.setProperty("useSSL", "false");

★Change after
 90// For compatibility, set legacy useSSL property when SSL is
disabled.
 91if (sslMode == MySQLSSLMode.DISABLED) {  //Add
 92driverProperties.setProperty("useSSL", "false");
   } else { //Add
   driverProperties.setProperty("useSSL",
"true");//Add
   }//Add

 

The contribution guidelines are here:

 

http://guacamole.apache.org/open-source/

 

Basically, you'll need to:

* Create a Jira issue for this 
(https://issues.apache.org/jira/projects/GUACAMOLE)

* Fork the apache/guacamole-client repository on github.

* Make a new branch in your copy of the repo, and make your changes there (be 
sure to follow guidelines, here)

* Submit a pull request with the changes.

 

-Nick

RE: About using MariaDB Connector/J

2021-10-27 Thread rst_pi_sisk10.vi 
I haven't received a reply to the following emails yet.
Did you make a rude statement?

If so, I'm sorry.
I want to contribute as much as possible to the Guacamole project.

Also, by changing the following sources
SSL communication was successful as expected.

★MySQLAuthenticationProviderModule.java
 
guacamole-client/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-
mysql/src/main/java/org/apache/guacamole/auth/mysql/MySQLAuthenticationProvi
derModule.java

★Change before
 90// For compatibility, set legacy useSSL property when SSL is
disabled.
 91if (sslMode == MySQLSSLMode.DISABLED)
 92driverProperties.setProperty("useSSL", "false");

★Change after
 90// For compatibility, set legacy useSSL property when SSL is
disabled.
 91if (sslMode == MySQLSSLMode.DISABLED) {  //Add
 92driverProperties.setProperty("useSSL", "false");
   } else { //Add
   driverProperties.setProperty("useSSL",
"true");//Add
   }//Add


What to do to contribute to the project I hope you'll tell me.

Thank you.

> -Original Message-
> From: rst_pi_sisk10...@krf.biglobe.ne.jp 
> Sent: Thursday, October 21, 2021 8:39 PM
> To: 'user@guacamole.apache.org' 
> Subject: About using MariaDB Connector/J
>
> Hello,
>
> SSL connection between Guacamole and DB using MaraiDB Connector/J
Regarding,
> SSL connection was not enabled even if the following parameters were set.
>
> ★/etc/guacamole/guacamole.properties
>  mysql-driver: mariadb
>  mysql-ssl-mode: required
>  mysql-ssl-trust-store: /opt/jks/.jks
>  mysql-ssl-trust-password: 
>
> I created the following files for troubleshooting. When I ran it, the SSL
connection was
> successful.
>

--
> ---
> vim Sample.java
> import java.sql.*;
>
> public class Sample {
>
>   public static void main(String[] args) {
>   Connection conn = null;
>   try {
>   Class.forName("org.mariadb.jdbc.Driver");
>   conn =
>
DriverManager.getConnection("jdbc:mysql://x:3306/xxx?user=
> ==true=/opt/jks/xxx.jks=XXX
> X");
>
>   Statement statement = conn.createStatement();
>   ResultSet resultSet =
> statement.executeQuery("SELECT count(*) FROM sample;");
>   resultSet.next();
>   System.out.println(resultSet.getInt(1));
>   conn.close();
>
>   } catch (Exception e) {
>   e.printStackTrace();
>   }
>   }
> }
>
> javac Sample.java
> java Sample
>

--
> ---
>
> Using MySQL Connector/J, SSL connection was possible from Guacamole with
the
> same settings.
> ※In the above example, I deleted "Mysql-driver: mariadb" in
"guacamole.properties"
>
> The default setting for MariaDB Connector/J seems to be useSsl = false.
> https://mariadb.com/kb/en/about-mariadb-connector-j/#tls-parameters
>
> Is there a parameter to set "useSSL = true" when connecting to SSL using
Mariadb
> Connector/J?
> If not, do I need to change the following sources?
>
> ★MySQLAuthenticationProviderModule.java
>
>
guacamole-client/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-
>
mysql/src/main/java/org/apache/guacamole/auth/mysql/MySQLAuthenticationProv
> iderModule.java
>
> ★Target location
>  90// For compatibility, set legacy useSSL property when SSL is
disabled.
>  91if (sslMode == MySQLSSLMode.DISABLED)
>  92driverProperties.setProperty("useSSL", "false");
>
> Thank you.


-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

About using MariaDB Connector/J

2021-10-21 Thread rst_pi_sisk10.vi 
Hello,

SSL connection between Guacamole and DB using MaraiDB Connector/J
Regarding, SSL connection was not enabled even if the following parameters
were set.

★/etc/guacamole/guacamole.properties
 mysql-driver: mariadb
 mysql-ssl-mode: required
 mysql-ssl-trust-store: /opt/jks/.jks
 mysql-ssl-trust-password: 

I created the following files for troubleshooting. When I ran it, the SSL
connection was successful.

-
vim Sample.java
import java.sql.*;

public class Sample {

public static void main(String[] args) {
Connection conn = null;
try {
Class.forName("org.mariadb.jdbc.Driver");
conn =
DriverManager.getConnection("jdbc:mysql://x:3306/xxx?user==
=true=/opt/jks/xxx.jks=");

Statement statement = conn.createStatement();
ResultSet resultSet = statement.executeQuery("SELECT
count(*) FROM sample;");
resultSet.next();
System.out.println(resultSet.getInt(1));
conn.close();

} catch (Exception e) {
e.printStackTrace();
}
}
}

javac Sample.java
java Sample

-

Using MySQL Connector/J, SSL connection was possible from Guacamole with the
same settings.
※In the above example, I deleted "Mysql-driver: mariadb" in
"guacamole.properties"

The default setting for MariaDB Connector/J seems to be useSsl = false.
https://mariadb.com/kb/en/about-mariadb-connector-j/#tls-parameters

Is there a parameter to set "useSSL = true" when connecting to SSL using
Mariadb Connector/J?
If not, do I need to change the following sources?

★MySQLAuthenticationProviderModule.java
 
guacamole-client/extensions/guacamole-auth-jdbc/modules/guacamole-auth-jdbc-
mysql/src/main/java/org/apache/guacamole/auth/mysql/MySQLAuthenticationProvi
derModule.java

★Target location
 90// For compatibility, set legacy useSSL property when SSL is
disabled.
 91if (sslMode == MySQLSSLMode.DISABLED)
 92driverProperties.setProperty("useSSL", "false");

Thank you.


-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Re: About Guacamole API

2021-06-30 Thread rst_pi_sisk10 . vi 
Nick

Thank you for your reply.

> 
> No, this is not possible nor is it a problem:
> 

Of course.
Thank you very much!

> 2021/06/30 の 10:47 に Mike Jumper  によって書かれました:
> 
> On Tue, Jun 29, 2021, 18:43 < rst_pi_sisk10...@krf.biglobe.ne.jp 
> mailto:rst_pi_sisk10...@krf.biglobe.ne.jp > wrote:
> 
> > > 
> > Hello,
> > 
> > I have created a shell script that uses the Guacamole REST API.
> > 
> > > > > 
> > > #!/bin/bash
> > > #
> > > USER=guacadmin
> > > PASS=guacadmin
> > > 
> > > #
> > > export TOKEN=$(curl -s -k -X POST 
> > > https://localhost/api/tokens -d "username=${USER}=${PASS}" | jq 
> > > -r .authToken)
> > > curl GET -H 'Content-Type: application/json' -s 
> > > http://localhost:8080/guacamole/api/session/data/mysql/users?token=$TOKEN 
> > > | jq | grep username
> > > 
> > > > > 
> > It's very convenient, but I think it will be a problem if it is 
> > operated from the outside (Internet).
> > Is there a way to deny the above API communication only from the 
> > outside?
> > 
> > > 
> No, this is not possible nor is it a problem:
> 
> The REST API is how the web interface itself functions. When you interact 
> with the web interface in your browser, the internals of that web interface 
> are actually using the REST API on your behalf.
> 
> - Mike
> 
> 
> > > 
> >  
> > 
> > 
> > >

About Guacamole API

2021-06-29 Thread rst_pi_sisk10 . vi 
Hello,

I have created a shell script that uses the Guacamole REST API.

> 
> #!/bin/bash
> #
> USER=guacadmin
> PASS=guacadmin
> 
> #
> export TOKEN=$(curl -s -k -X POST https://localhost/api/tokens -d 
> "username=${USER}=${PASS}" | jq -r .authToken)
> curl GET -H 'Content-Type: application/json' -s 
> http://localhost:8080/guacamole/api/session/data/mysql/users?token=$TOKEN | 
> jq | grep username
> 

It's very convenient, but I think it will be a problem if it is operated from 
the outside (Internet).
Is there a way to deny the above API communication only from the outside?

Thank you.

RE: About Authentication Token (Guacamole 1.3.0)

2021-05-18 Thread rst_pi_sisk10.vi 
Thank you for your reply.

 

I think it's difficult at this point.

 

I want to do my best to come up with ideas!

 

From: Nick Couchman  
Sent: Thursday, May 13, 2021 7:54 PM
To: user@guacamole.apache.org; rst_pi_sisk10...@krf.biglobe.ne.jp
Subject: Re: About Authentication Token (Guacamole 1.3.0)

 

On Thu, May 13, 2021 at 2:06 AM mailto:rst_pi_sisk10...@krf.biglobe.ne.jp> > wrote:

Hello,

LB exists between guacamole and client
Session information is currently implemented in LB.

Stop maintaining sessions(cookie) using LB,
I want to use tomcat session replication instead.

However, Guacamole does recognize that it uses tokens for authentication.

If LB randomly distributes、There is a possibility of re-login due to a mismatch 
of tokens.

Token information to Memcached and Redis
How do I save / recall?

Currently Guacamole does not store session information, including tokens, in 
any sort of persistent or shared database, so this is not possible. In order to 
get this to work you would need to modify the Guacamole code such that session 
information was stored in a way that could be replicated across multiple Tomcat 
instances. Memcached and/or Redis are certain ways to do that, and Tomcat's 
built-in session replication might also allow for this, but not without 
modifications to Guacamole.

 

The easier way to do this, without code modifications, is to make sure that the 
load balancer persists a session to a particular Tomcat server for the life of 
that session (sometimes called "sticky" or "persistent" sessions). Even if you 
get past the login token issue and manage to replicate that information across 
multiple Guacamole Client instances on multiple Tomcat servers you would end up 
with similar issues with an active Guacamole connection - if the load balancer 
randomly switches a client that is connected to a remote server to a different 
Tomcat back-end, the Guacamole connection will drop. So, session persistence 
between client and Tomcat server is really a better way to go, at least until 
the Guacamole code is modified in such a way that it supports replication of 
this information.

 

If you have ideas on how to modify the Guacamole code to implement this 
support, feel free to open a pull request :-)!

 

-Nick

About Authentication Token (Guacamole 1.3.0)

2021-05-13 Thread rst_pi_sisk10 . vi 
Hello,

LB exists between guacamole and client
Session information is currently implemented in LB.

Stop maintaining sessions(cookie) using LB,
I want to use tomcat session replication instead.

However, Guacamole does recognize that it uses tokens for authentication.

If LB randomly distributes、There is a possibility of re-login due to a mismatch 
of tokens.

Token information to Memcached and Redis
How do I save / recall?

Thank you.

Re: Microphone not available (Guacamole 1.3.0)

2021-03-21 Thread rst_pi_sisk10 . vi 
Nick

Thank you for your reply.

I tried to put the permission setting of chrome
It worked fine!

Thank you very much!

> 2021/03/21 の 21:17 に Nick Couchman  によって書かれました:
> 
> On Sun, Mar 21, 2021 at 7:37 AM < rst_pi_sisk10...@krf.biglobe.ne.jp 
> mailto:rst_pi_sisk10...@krf.biglobe.ne.jp > wrote:
> 
> > > 
> > Hello,
> > 
> > Please tell me about audio input (microphone input).
> > 
> > I tried the microphone input with Guacamole 1.3.0, but it 
> > recognizes it as remote audio
> > The indicator did not go up at all and the voice was not recognized.
> > 
> > * I checked "Enable input audio (microphone)" in the connection 
> > settings and tested it.
> > 
> > > In your Web Browser, have you allowed the Guacamole web site to 
> > access the microphone? I use Google Chrome most of the time, and I know 
> > that Chrome will block access to microphones (and web cams) until you 
> > specifically allow it in the settings for a particular site. Other browsers 
> > likely have similar security measures, so you might check on that and make 
> > sure.
> 
> -Nick
>

Microphone not available (Guacamole 1.3.0)

2021-03-21 Thread rst_pi_sisk10 . vi 
Hello,

Please tell me about audio input (microphone input).

I tried the microphone input with Guacamole 1.3.0, but it recognizes it as 
remote audio
The indicator did not go up at all and the voice was not recognized.

* I checked "Enable input audio (microphone)" in the connection settings and 
tested it.

By xfreerdp command on CentOS with guacamole 1.3.0 installed
I tried to connect. In this case, the indicator goes up without any problem, 
and the meeting at Zoom is also possible.
I was able to use it without any problems.

Is guacamole installed incorrectly or misconfigured?

The current OS and packages used are as follows.

OS: Centos7.9
Tomcat: tomcat-7.0.76-16.el7_9
freerdp-devel-2.1.1-2.el7.x86_64
Guacamole-Client: 1.3.0
Guacamole-Server: 1.3.0

* Result of configure before installing guacamole-server



guacamole-server version 1.3.0


Library status:

freerdp2  yes
pango ... yes
libavcodec .. yes
libavformat.. yes
libavutil ... yes
libssh2 . yes
libssl .. yes
libswscale .. yes
libtelnet ... yes
libVNCServer  yes
libvorbis ... yes
libpulse  yes
libwebsockets ... yes
libwebp . yes
wsock32 . no

Protocol support:

Kubernetes  yes
RDP ... yes
SSH ... yes
Telnet  yes
VNC ... yes

Services / tools:

guacd .. yes
guacenc  yes
guaclog  yes

FreeRDP plugins: /usr/lib64/freerdp2
Init scripts: no
Systemd units: no



Thank you.

Re: About disconnection of guacamole

2021-01-17 Thread rst_pi_sisk10 . vi 
Nick

Thank you for your reply.

I will try with the instructions.

Thank you.

> 2021/01/18 の 4:00 に Nick Couchman  によって書かれました:
> 
> On Fri, Jan 15, 2021 at 8:58 PM < rst_pi_sisk10...@krf.biglobe.ne.jp 
> mailto:rst_pi_sisk10...@krf.biglobe.ne.jp > wrote:
> 
> > > 
> > Nick
> > 
> > Thank you for your reply.
> > 
> > Detailed information is also appreciated.
> > 
> > I have one more question.
> > 
> > Do you know the best way to check if you are receiving data from 
> > Guacd?
> > 
> > I want to know where the delay is occurring between the guacamole 
> > server and the client.
> > 
> > > First thing to do would be to examine log messages, both in the 
> > Tomcat logs (catalina.out in many cases, but sometimes in journalctl or 
> > syslog) and gaucd logs (syslog) and see if one or both of those is logging 
> > information about where the delay or disconnect is occurring.
> 
> Other than that, look at the following:
> - Test connection characteristics between the browser and the server 
> running Tomcat (using things like ping or traceroute to measure latency and 
> packet loss), and between the server running Tomcat and the one running guacd 
> (if they're on different systems - often they are running on the same system).
> - Make sure that there are no resource constraints on the system(s) 
> running Tomcat and guacd - look at memory and CPU utilization and make sure 
> the system is not starved for resources.
> - Also check the system running the web browser and make sure that it 
> isn't running out of resources - every now and then I get into a situation 
> where I run my laptop out of RAM or have excessive CPU utilization due to the 
> number of tabs (overall, not just Guacamole) I have open, and often the 
> Guacamole Client tabs disconnect due to this.
> 
> -Nick
> 
> > > 
> > >

Re: About disconnection of guacamole

2021-01-15 Thread rst_pi_sisk10 . vi 
Nick

Thank you for your reply.

Detailed information is also appreciated.

I have one more question.

Do you know the best way to check if you are receiving data from Guacd?

I want to know where the delay is occurring between the guacamole server and 
the client.

Thank you.

> 2021/01/16 の 10:34 に Nick Couchman  によって書かれました:
> 
> On Fri, Jan 15, 2021 at 7:03 PM < rst_pi_sisk10...@krf.biglobe.ne.jp 
> mailto:rst_pi_sisk10...@krf.biglobe.ne.jp > wrote:
> 
> > > 
> > Hi!
> > I will post for the first time. This is Tadashi.
> > 
> > Guacamole sometimes becomes unstable. A message appears at the 
> > bottom right of the screen stating that the network is not stable.
> > The message that the network is not stable is I would like to know 
> > what kind of processing is done inside guacamole to display it.
> > 
> > (For example, the response between the client and guacamole is 
> > measured by some mechanism and monitored at a fixed threshold.)
> > 
> > > 
> I believe most of the work for this was implemented as a part of 
> GUACAMOLE-567:
> 
> https://issues.apache.org/jira/browse/GUACAMOLE-567
> 
> The following two pull requests are the client-side changes that enable 
> this:
> 
> https://github.com/apache/guacamole-client/pull/290
> https://github.com/apache/guacamole-client/pull/312
> 
> Basically, if the connection does not receive any data from the tunnel 
> (guacd) within 1500 milliseconds, it warns that the connection is unstable. 
> If data is not received over the tunnel within 15000 milliseconds, the 
> connection is assumed to be lost and the client closes it.
> 
> The second pull request adds a "ping" every 500 milliseconds (in the form 
> of a "nop" message) from the browser to the Java tunnel (which is then passed 
> on to the server) that insures that traffic is traveling over the tunnel.
> 
> I'm sure Mike can provide more thorough detail on this, or you can have a 
> look at the source code of the files impacted by those pull requests.
> 
> -Nick
>

About disconnection of guacamole

2021-01-15 Thread rst_pi_sisk10 . vi 
Hi!
I will post for the first time. This is Tadashi.

Guacamole sometimes becomes unstable. A message appears at the bottom right of 
the screen stating that the network is not stable.
The message that the network is not stable is I would like to know what kind of 
processing is done inside guacamole to display it.

(For example, the response between the client and guacamole is measured by some 
mechanism and monitored at a fixed threshold.)

Thank you.