2020-07-03 Apache Guacamole security release (CVE-2020-9497)
On July 3rd, Apache Guacamole released a new version (1.2.0) that contains an important security update.
The information disclosed to date is the following:
- Apache Guacamole does not properly validate data received from Remote Desktop Protocol (RDP) servers via static virtual channels. If a user connects to a malicious or compromised RDP server, specially-crafted PDUs could result in disclosure of information within the memory of the “guacd” process handling the connection.
You can find more information about this issue in the this blog post or in the official CVE entry.
These are the versions affected by this vulnerability:
- Versions in the 1.1.0 and older that provide access to untrusted RDP servers.
Check the Apache Guacamole version you are currently using to patch this issue in the case that your installation may be affected. You can execute the following command to check your current version.
$ cat /home/bitnami/stack/properties.ini
How to patch it
Bitnami has released the a version of Bitnami Apache Guacamole, 1.2.0, for both virtual machines and cloud images that fix these vulnerabilities.
If you are running an outdated version of Guacamole, it is highly recommended to deploy the new version instead.
Do you have more questions? You can open an issue in this github repository. Our support team will be happy to help you there.