topic Re: Horizon UAG - CVE-2023-29017? in Horizon Desktops and Apps

Horizon UAG - CVE-2023-29017?

OliverGl — Mon, 24 Apr 2023 08:27:58 GMT

Are any components of Horizon UAG (2111.2) affected by CVE-2023-29017?

Critical Vulnerability in vm2 JavaScript Sandbox Library: Exploit Code Available (socradar.io)

NVD - CVE-2023-29017 (nist.gov)

root@UAG [ ~ ]# find / -name "node.js"
/opt/vmware/gateway/lib/bsg/node_modules/express/node_modules/debug/node.js

There are no information published on the advisory board yet: Advisories (vmware.com)
Does anybody can provide more information, if UAG is safe?

Thanks and Regards!

Oliver

Re: Horizon UAG - CVE-2023-29017?

yukiafronia — Tue, 25 Apr 2023 15:39:37 GMT

Hi, @OliverGl

I have also submitted a SR to VMware, but it is taking a long time to investigate.

Oh well, it's a spec check... It's hard work...

Once I do, I am waiting for VMSA to post it.
If there is any update from VMware, I would be glad if you could share it.

Sorry, I can't offer any advice...

Re: Horizon UAG - CVE-2023-29017?

OliverGl — Tue, 25 Apr 2023 17:49:37 GMT

Hi @yukiafronia ,

after almost 2 weeks I got some more information in my SR:

"Node.js is used by the Blast service on UAG."

"I have gotten feedback from our engineering team that PcoIP Secure Gateway stand-alone can be used to work around the vulnerability while a full assessment of the vulnerability is being conducted."

Regards!

Oliver

Re: Horizon UAG - CVE-2023-29017?

OliverGl — Wed, 26 Apr 2023 09:39:19 GMT

I got an final reply:

"CVE-2023-29017 is a vulnerability in vm2, which is an optional, third-party module for Node.js. The BSG does not use vm2 in any way. vm2 is not included in the BSG component install on any platform.
The BSG is not vulnerable to this CVE.
Based on this, we can conclude that Blast Secure Gateway is not susceptible to this vulnerability."

Regards!

Oliver