Re: [SECURITY] CVE-2021-41767: Apache Guacamole: Private tunnel identifier may be included in the non-private details of active connections

2022-01-18 Thread Mike Jumper 
On Tue, Jan 18, 2022, 01:44 Antoine G.  wrote:

> On 12/01/2022 22:32, Nick Couchman - vn...@apache.org wrote:
> > We do not plan to release patches for lower versions. Essentially, 1.4.0
> > is the patch.
>
> Thank you for your answer.
>
> Just to be sure I understand the CVE and the stack, do you confirm that
> technically, upgrading only guacamole-client to 1.4.0 (and leaving guacd
> in 1.3.0) is enough to patch the CVE?
>

Yes.

- Mike

Re: [SECURITY] CVE-2021-41767: Apache Guacamole: Private tunnel identifier may be included in the non-private details of active connections

2022-01-18 Thread Antoine G. 

On 12/01/2022 22:32, Nick Couchman - vn...@apache.org wrote:
We do not plan to release patches for lower versions. Essentially, 1.4.0 
is the patch.


Thank you for your answer.

Just to be sure I understand the CVE and the stack, do you confirm that 
technically, upgrading only guacamole-client to 1.4.0 (and leaving guacd 
in 1.3.0) is enough to patch the CVE?


-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

RE: [SECURITY] CVE-2021-41767: Apache Guacamole: Private tunnel identifier may be included in the non-private details of active connections

2022-01-12 Thread rst_pi_sisk10.vi 
Thank you for your reply. 

We will consider upgrading the version.

Thank you,
Tadashi
> -Original Message-
> From: Mike Jumper 
> Sent: Thursday, January 13, 2022 10:19 AM
> To: user@guacamole.apache.org
> Subject: Re: [SECURITY] CVE-2021-41767: Apache Guacamole: Private tunnel
> identifier may be included in the non-private details of active connections
> 
> On Wed, Jan 12, 2022 at 4:52 PM  wrote:
> >
> > Hello,
> >
> > Can this vulnerability be protected by a WAF such as Modseurity?
> >
> 
> I would not recommend relying solely on a WAF to defend against a known issue 
> in
> any application. With the issue in question being patched in the latest 
> release (1.4.0),
> your best option is to upgrade to 1.4.0 and thus deploy the relevant patch.
> 
> - Mike
> 
> -
> To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
> For additional commands, e-mail: user-h...@guacamole.apache.org


-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Re: [SECURITY] CVE-2021-41767: Apache Guacamole: Private tunnel identifier may be included in the non-private details of active connections

2022-01-12 Thread Mike Jumper 
On Wed, Jan 12, 2022 at 4:52 PM  wrote:
>
> Hello,
>
> Can this vulnerability be protected by a WAF such as Modseurity?
>

I would not recommend relying solely on a WAF to defend against a
known issue in any application. With the issue in question being
patched in the latest release (1.4.0), your best option is to upgrade
to 1.4.0 and thus deploy the relevant patch.

- Mike

-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

RE: [SECURITY] CVE-2021-41767: Apache Guacamole: Private tunnel identifier may be included in the non-private details of active connections

2022-01-12 Thread rst_pi_sisk10.vi 
Hello,

 

Can this vulnerability be protected by a WAF such as Modseurity?

 

From: Nick Couchman  
Sent: Thursday, January 13, 2022 6:33 AM
To: user@guacamole.apache.org
Subject: Re: [SECURITY] CVE-2021-41767: Apache Guacamole: Private tunnel 
identifier may be included in the non-private details of active connections

 

On Wed, Jan 12, 2022 at 4:28 PM guacatoine mailto:guacamole.to...@placi.de> > wrote:


Hello,

Le 11/01/2022 à 22:21, Mike Jumper - mjum...@apache.org 
  a écrit :
> Severity: moderate

When running Apache Guacamole 1.3.0, is the only way of addressing 
CVE-2021-41767 to update to v1.4.0 or is there a security patch incoming 
for one (or more lower) version(s) of Guacamole?

 

We do not plan to release patches for lower versions. Essentially, 1.4.0 is the 
patch.

 

If you really need to maintain a lower version, you could try to back-port the 
patch(es) that specifically address the issue to that version, but that's a lot 
of manual work versus just upgrading to the latest version.

 

-Nick

Re: [SECURITY] CVE-2021-41767: Apache Guacamole: Private tunnel identifier may be included in the non-private details of active connections

2022-01-12 Thread Nick Couchman 
On Wed, Jan 12, 2022 at 4:28 PM guacatoine  wrote:

>
> Hello,
>
> Le 11/01/2022 à 22:21, Mike Jumper - mjum...@apache.org a écrit :
> > Severity: moderate
>
> When running Apache Guacamole 1.3.0, is the only way of addressing
> CVE-2021-41767 to update to v1.4.0 or is there a security patch incoming
> for one (or more lower) version(s) of Guacamole?
>
>
We do not plan to release patches for lower versions. Essentially, 1.4.0 is
the patch.

If you really need to maintain a lower version, you could try to back-port
the patch(es) that specifically address the issue to that version, but
that's a lot of manual work versus just upgrading to the latest version.

-Nick

Re: [SECURITY] CVE-2021-41767: Apache Guacamole: Private tunnel identifier may be included in the non-private details of active connections

2022-01-12 Thread guacatoine 



Hello,

Le 11/01/2022 à 22:21, Mike Jumper - mjum...@apache.org a écrit :

Severity: moderate


When running Apache Guacamole 1.3.0, is the only way of addressing 
CVE-2021-41767 to update to v1.4.0 or is there a security patch incoming 
for one (or more lower) version(s) of Guacamole?


Thank you,
Toine

-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Re: [SECURITY] CVE-2021-41767: Apache Guacamole: Private tunnel identifier may be included in the non-private details of active connections

2022-01-12 Thread Mike Jumper 
On Wed, Jan 12, 2022, 01:41 Jürgen Kuri  wrote:

> El 11.01.22 a las 22:21, Mike Jumper escribió:
> > Severity: moderate
> >
> > Description:
> >
> > Apache Guacamole 1.3.0 and older may incorrectly include a private
> > tunnel identifier in the non-private details of some REST responses.
> > This may allow an authenticated user who already has permission to
> > access a particular connection to read from or interact with another
> > user's active use of that same connection.
> >
> > Credit:
> >
> > We would like to thank Damian Velardo (Australia and New Zealand
> > Banking Group) for reporting this issue.
> >
> > -
> > To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
> > For additional commands, e-mail: user-h...@guacamole.apache.org
> >
> Hello,
>
> which component is affected here, backend (guacd) or frontend (.war) or
> both?
>

The web application (.war).

- Mike

Re: [SECURITY] CVE-2021-41767: Apache Guacamole: Private tunnel identifier may be included in the non-private details of active connections

2022-01-12 Thread Jürgen Kuri 
El 11.01.22 a las 22:21, Mike Jumper escribió:
> Severity: moderate
> 
> Description:
> 
> Apache Guacamole 1.3.0 and older may incorrectly include a private
> tunnel identifier in the non-private details of some REST responses.
> This may allow an authenticated user who already has permission to
> access a particular connection to read from or interact with another
> user's active use of that same connection.
> 
> Credit:
> 
> We would like to thank Damian Velardo (Australia and New Zealand
> Banking Group) for reporting this issue.
> 
> -
> To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
> For additional commands, e-mail: user-h...@guacamole.apache.org
> 
Hello,

which component is affected here, backend (guacd) or frontend (.war) or both?

-- 
Thanks
Jürgen

-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

[SECURITY] CVE-2021-41767: Apache Guacamole: Private tunnel identifier may be included in the non-private details of active connections

2022-01-11 Thread Mike Jumper 
Severity: moderate

Description:

Apache Guacamole 1.3.0 and older may incorrectly include a private
tunnel identifier in the non-private details of some REST responses.
This may allow an authenticated user who already has permission to
access a particular connection to read from or interact with another
user's active use of that same connection.

Credit:

We would like to thank Damian Velardo (Australia and New Zealand
Banking Group) for reporting this issue.

-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org