VMware Horizon Community
vPat
Contributor
Contributor
‎11-18-2019 04:30 AM

Horizon View 7.4.0 build-7400497 and INFORMATION DISCLOSURE

Got flagged on a PEN test that internal IP's were exposed, do I need to upgrade or can I make changes or patch it?

If I did have to upgrade what is the version that fixes this security issue?

I don't see 7.4 listed (unless they mean all version of 7, and I am running gateway v.3.2.1 which is also not listed

What strange is the PEN test flagged my DR site running Horizon View but did not flag my Production site running Horizon View and they are both running the same exact versions

I just want to know if it exists with my version of View and gateway? I have no way of testing and don't know the tool they used, I just want to make sure they just didn't ding me on this but they just read an advisory and never checked my version

pastedImage_2.png

Thanks

0 Kudos
1 Reply
MaxStr
Hot Shot
Hot Shot
‎11-19-2019 12:01 PM

A lot of those PCI scanners don't bother to check versions. I think you're OK though, the details for CVE 2017-4907 says it applies to versions before 7.1:

VMware Unified Access Gateway (2.5.x, 2.7.x, 2.8.x prior to 2.8.1) and Horizon View (7.x prior to 7.1.0, 6.x prior to 6.2.4) contain a heap buffer-overflow vulnerability which may allow a remote attacker to execute code on the security gateway.