VMware Horizon Community
OliverGl
Contributor
Contributor
Jump to solution

Horizon UAG - CVE-2023-29017?

Are any components of Horizon UAG (2111.2) affected by CVE-2023-29017?

Critical Vulnerability in vm2 JavaScript Sandbox Library: Exploit Code Available (socradar.io)

NVD - CVE-2023-29017 (nist.gov)

root@UAG [ ~ ]# find / -name "node.js"
/opt/vmware/gateway/lib/bsg/node_modules/express/node_modules/debug/node.js

There are no information published on the advisory board yet: Advisories (vmware.com)
Does anybody can provide more information, if UAG is safe?

Thanks and Regards!

Oliver

 

 

Reply
0 Kudos
1 Solution

Accepted Solutions
OliverGl
Contributor
Contributor
Jump to solution

I got an final reply:

"CVE-2023-29017 is a vulnerability in vm2, which is an optional, third-party module for Node.js.  The BSG does not use vm2 in any way.  vm2 is not included in the BSG component install on any platform.
The BSG is not vulnerable to this CVE
Based on this, we can conclude that Blast Secure Gateway is not susceptible to this vulnerability."

Regards!

Oliver

View solution in original post

3 Replies
yukiafronia
Enthusiast
Enthusiast
Jump to solution

Hi, @OliverGl 

I have also submitted a SR to VMware, but it is taking a long time to investigate.

Oh well, it's a spec check... It's hard work...

Once I do, I am waiting for VMSA to post it.
If there is any update from VMware, I would be glad if you could share it.

Sorry, I can't offer any advice...

Reply
0 Kudos
OliverGl
Contributor
Contributor
Jump to solution

Hi @yukiafronia ,

after almost 2 weeks I got some more information in my SR:

"Node.js is used by the Blast service on UAG."

"I have gotten feedback from our engineering team that PcoIP Secure Gateway stand-alone can be used to work around the vulnerability while a full assessment of the vulnerability is being conducted."

Regards!

Oliver

 

OliverGl
Contributor
Contributor
Jump to solution

I got an final reply:

"CVE-2023-29017 is a vulnerability in vm2, which is an optional, third-party module for Node.js.  The BSG does not use vm2 in any way.  vm2 is not included in the BSG component install on any platform.
The BSG is not vulnerable to this CVE
Based on this, we can conclude that Blast Secure Gateway is not susceptible to this vulnerability."

Regards!

Oliver