Bug 1669110 (CVE-2018-1340)

Summary: CVE-2018-1340 guacamole: Secure flag missing from Apache Guacamole session cookie
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED UPSTREAM QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: negativo17
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: gucamole 1.0.0 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:46:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1669121, 1669122    
Bug Blocks:    

Description Dhananjay Arunesh 2019-01-24 11:17:28 UTC 
Prior to 1.0.0, Apache Guacamole used a cookie for client-side storage
of the user's session token. This cookie lacked the "secure" flag,
which could allow an attacker eavesdropping on the network to
intercept the user's session token if unencrypted HTTP requests are
made to the same domain.

Mitigation:
Users of Apache Guacamole 0.9.14 or older should upgrade to 1.0.0.

References:
https://seclists.org/oss-sec/2019/q1/90
Comment 1 Dhananjay Arunesh 2019-01-24 11:20:43 UTC 
Created guacamole tracking bugs for this issue:

Affects: fedora-all [bug 1669112]
Comment 2 Dhananjay Arunesh 2019-01-24 11:34:06 UTC 
Created guacamole tracking bugs for this issue:

Affects: epel-all [bug 1669120]
Comment 3 Andrej Nemec 2019-01-24 11:39:24 UTC 
Created guacamole-server tracking bugs for this issue:

Affects: epel-all [bug 1669122]
Affects: fedora-all [bug 1669121]
Comment 4 Product Security DevOps Team 2019-06-10 10:46:28 UTC 
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.