Apache Guacamole 1.1.0 and older may mishandle pointers involved in processing data received via RDP static virtual channels. If a user connects to a malicious or compromised RDP server, a series of specially-crafted PDUs could result in memory corruption, possibly allowing arbitrary code to be executed with the privileges of the running guacd process. Mitigation: Users of versions of Apache Guacamole 1.1.0 and older that provide access to untrusted RDP servers should upgrade to 1.2.0.
Created guacamole-server tracking bugs for this issue: Affects: epel-6 [bug 1853387] Affects: epel-7 [bug 1853388] Affects: fedora-all [bug 1853386]
External References: https://lists.apache.org/thread.html/rff824b38ebd2fddc726b816f0e509696b83b9f78979d0cd021ca623b%40%3Cannounce.guacamole.apache.org%3E
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.