Hi Guac users, A colleague of mine sent over this article (https://threatpost.com/apache-guacamole-control-remote-footprint/157124/) talking about some CVEs that affected older versions of Apache Guacamole. [https://media.threatpost.com/wp-content/uploads/sites/103/2020/07/02121258/guacamole-e1593706413101.jpg]<https://threatpost.com/apache-guacamole-control-remote-footprint/157124/> Apache Guacamole Opens Door for Total Control of Remote Footprint | Threatpost<https://threatpost.com/apache-guacamole-control-remote-footprint/157124/> Apache Guacamole, a popular infrastructure for enabling remote working, is vulnerable to a slew of security bugs related to the Remote Desktop Protocol (RDP), researchers have warned. threatpost.com
At the end of the article, there is a quote that puzzled me a bit: Apache fixed all of these issues with the release of version 1.2.02 on June 28. I wasn't aware of a 1.2.02 release... Looking at the security reports page of the Apache Guacamole website (https://guacamole.apache.org/security/) mentions that the above article's CVEs have been "Fixed in Apache Guacamole 1.2.0". (emphasis mine, and no mention of 1.2.02) Apache Guacamoleā¢: Security Reports<https://guacamole.apache.org/security/> Security Reports. This page lists all security vulnerabilities fixed in released versions of Apache Guacamole. Each vulnerability is listed with a description of the problem, its associated CVE number, and the Guacamole release in which the vulnerability was fixed.. Reporting new vulnerabilities guacamole.apache.org In our environment, we run Docker instances of guad and guacamole. Referencing tags available for Guacamole on Docker Hub (https://hub.docker.com/r/guacamole/guacamole/tags) the latest versioned release I see is 1.2.0 (latest also points to 1.2.0 in case you were wondering). Looking at the logs from my systems, I see references to guacd starting version 1.2.0 as well. Additionally, referencing the Guacamole Releases page (https://guacamole.apache.org/releases/) lists the release date of 1.2.0 as 2020-06-28, the same date the article claims 1.2.02 was released. Now getting to my actual questions: Is there such a thing as 1.2.02? Are the images on Docker Hub just behind? ...or maybe this article is just incorrect in referencing that version? Thanks, Erik ______________________________________ Erik Ostrom Systems Administrator Voiland College of Engineering and Architecture Washington State University Office: WSU Tri-Cities CIC 225 email: [email protected] phone: (509) 335-4922 (Help me help you! Generate a support ticket by visiting support.vcea.wsu.edu/open.php, or by sending an email to [email protected])
