lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 7 Aug 2018 21:03:12 +0000
From: VMware Security Response Center <>
To: "" <>,
  "" <>
Subject: New VMSA-2018-0019 - Horizon 6, 7, and Horizon Client for Windows
 updates address an out-of-bounds read vulnerability

Hash: SHA1

- ----------------------------------------------------------------------
VMware Security Advisory

Advisory ID: VMSA-2018-0019
Severity:    Important
Synopsis:    Horizon 6, 7, and Horizon Client for Windows updates
             address an out-of-bounds read vulnerability
Issue date:  2018-08-07
Updated on:  2018-08-07 (Initial Advisory)
CVE number:  CVE-2018-6970

1. Summary

   Horizon 6, 7, and Horizon Client for Windows updates address an
   out-of-bounds read vulnerability

2. Relevant Releases

   VMware Horizon 6
   VMware Horizon 7
   VMware Horizon Client for Windows

3. Problem Description

   Horizon 6, 7, and Horizon Client for Windows contain an out-of-
   bounds read vulnerability in the Message Framework library.
   Successfully exploiting this issue may allow a less-privileged user
   to leak information from a privileged process running on a system
   where Horizon Connection Server, Horizon Agent or Horizon Client are

   Note: This issue doesn’t apply to Horizon 6, 7 Agents installed on
   Linux systems or Horizon Clients installed on non-Windows systems.

   VMware would like to thank Steven Seeley (mr_me) of Source Incite
   working with Trend Micro's Zero Day Initiative for reporting this
   issue to us.

   The Common Vulnerabilities and Exposures project ( has
   assigned the identifier CVE-2018-6970 to this issue.

   Column 5 of the following table lists the action required to
   remediate the vulnerability in each release, if a solution is

   VMware        Product Running           Replace with/    Mitigation/
   Product       Version on      Severity  Apply patch      Workaround
   ===========   ======= ======= ========= =============    ==========
   Horizon 7      7.x.x  Windows Important     7.5.1           None
   Horizon 6      6.x.x  Windows Important     6.2.7           None
   Horizon Client 4.x.x  Windows Important     4.8.1           None
   for Windows    & prior

4. Solution

   Please review the patch/release notes for your product and
   version and verify the checksum of your downloaded file.

   VMware Horizon 7 version 7.5.1
   Downloads and Documentation:

   VMware Horizon 6 version 6.2.7
   Downloads and Documentation:

   VMware Horizon Client for Windows 4.8.1
   Downloads and Documentation:

5. References
- -----------------------------------------------------------------------

6. Change log

   2018-08-07 VMSA-2018-0019
   Initial security advisory in conjunction with the release of VMware
   Horizon 6 version 6.2.7 and Horizon Client 4.8.1 on 2018-08-07
- -----------------------------------------------------------------------

7. Contact

   E-mail list for product security notifications and announcements:

   This Security Advisory is posted to the following lists:

     security-announce at
     bugtraq at
     fulldisclosure at

   E-mail: security at
   PGP key at:

   VMware Security Advisories

   VMware Security Response Policy

   VMware Lifecycle Support Phases

   VMware Security & Compliance Blog


   Copyright 2018 VMware Inc.  All rights reserved.

Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8


Powered by blists - more mailing lists