VMSA-2017-0011

Horizon View Client update addresses a command injection vulnerability

VMware Security Advisory

VMware Security Advisory Advisory ID:

VMSA-2017-0011

VMware Security Advisory Severity:

Important

VMware Security Advisory Synopsis:

Horizon View Client update addresses a command injection vulnerability

VMware Security Advisory Issue date:

2017-06-08

VMware Security Advisory Updated on:

2017-06-08 (Initial Advisory)

VMware Security Advisory CVE numbers:

CVE-2017-4918

1. Summary

Horizon View Client update addresses a command injection vulnerability

2. Relevant Products

VMware Horizon View Client for Mac (View Client)

3. Problem Description

Horizon View Client command injection vulnerability

VMware Horizon View Client contains a command injection vulnerability in the service startup script. Successful exploitation of this issue may allow unprivileged users to escalate their privileges to root on the Mac OSX system where the client is installed.

VMware would like to thank Florian Bogner from Kapsch BusinessCom AG for reporting this issue to us.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2017-4918 to this issue.

Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.

VMware Product

Product Version

Running on

Severity

Replace with/ Apply Patch

Mitigation/ Workaround

VMware Product View Client

Product Version 4.x

Running on OSX

Severity Important

Replace with/ Apply Patch 4.5

Mitigation/ Workaround None

VMware Product View Client

Product Version 3.x

Running on OSX

Severity Important

Replace with/ Apply Patch 4.5

Mitigation/ Workaround None

VMware Product View Client

Product Version 2.x

Running on OSX

Severity Important

Replace with/ Apply Patch 4.5

Mitigation/ Workaround None

4. Solution

Please review the patch/release notes for your product and version and verify the checksum of your downloaded file.

VMware Horizon View Client

Downloads:

https://my.vmware.com/web/vmware/details?downloadGroup=CART17Q2_MAC_450&productId=578&rPId=16682

Documentation:

https://www.vmware.com/support/viewclients/doc/viewclients_pubs.html

5. References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-4918

6. Change log

2017-06-08 VMSA-2017-0011 Initial security advisory in conjunction with the release of VMware Horizon View Client 4.5 on 2017-06-08.

7. Contact

E-mail list for product security notifications and announcements:

http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

security-announce@lists.vmware.com

bugtraq@securityfocus.com

fulldisclosure@seclists.org

E-mail: security@vmware.com

PGP key at:

https://kb.vmware.com/kb/1055

VMware Security Advisories

http://www.vmware.com/security/advisories

VMware Security Response Policy

https://www.vmware.com/support/policies/security_response.html

VMware Lifecycle Support Phases

https://www.vmware.com/support/policies/lifecycle.html

VMware Security & Compliance Blog

https://blogs.vmware.com/security

Twitter

https://twitter.com/VMwareSRC

Today’s Multi-Cloud Reality: Cloud Chaos

87% of enterprises use two or more cloud environments to run their applications. Multi-cloud accelerates digital transformation, but also introduces complexity and risk, resulting in a chaotic reality for many organizations.

Conquer Cloud Chaos with VMware Cross-Cloud services

Anywhere Workspace

App Platform

Cloud & Edge Infrastructure

Cloud Management

Desktop Hypervisor

Security & Networking

Run VMware on any Cloud. Any Environment. Anywhere.

On Public & Hybrid Clouds

On Private & Local Clouds

Solutions

Anywhere Workspace Access Any App on Any Device Securely

App Platform Build and Operate Cloud Native Apps

Cloud Infrastructure Run Enterprise Apps Anywhere

Cloud Management Automate and Optimize Apps and Clouds

Edge Infrastructure Enable the Multi-Cloud Edge

Networking Enable Connectivity for Apps and Clouds

Security Secure Apps and Clouds

By Industry

VMware AI Solutions

For Customers

For Partners

Working Together with Partners for Customer Success

Tools & Training

Services

Support

Marketplace

Videos

Blogs & Communities

Customers

Events

VMSA-2017-0011

Horizon View Client update addresses a command injection vulnerability

VMware Security Advisory

1. Summary

2. Relevant Products

3. Problem Description

VMware Product

Product Version

Running on

Severity

Replace with/ Apply Patch

Mitigation/ Workaround

Security

Anywhere Workspace
Access Any App on Any Device Securely

App Platform
Build and Operate Cloud Native Apps

Cloud Infrastructure
Run Enterprise Apps Anywhere

Cloud Management
Automate and Optimize Apps and Clouds

Edge Infrastructure
Enable the Multi-Cloud Edge

Networking
Enable Connectivity for Apps and Clouds

Security
Secure Apps and Clouds