Security vulnerability CVE-2016-0701, Horizon 6 and Horizon Client
VMware has released a KB (Security vulnerability CVE-2016-0701, Horizon 6 and Horizon Client-2145144) for customers that they are using VMware Horizon 6 about security issue on OpenSSL.
OpenSSL 1.0.2 through 1.0.2e contain the vulnerability CVE-2016-0701 (see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0701 for more information). This vulnerability can be exploited when DHE cipher suites are used. Note that ECDHE cipher suites are not vulnerable.
Horizon releases prior to 6.2 do not use any version of OpenSSL 1.0.2 and are not affected by this vulnerability. Horizon 6, versions 6.2, 6.2.1 and 6.2.2 include a version of OpenSSL 1.0.2 that is vulnerable, but disable DHE cipher suites by default. These releases will be exposed to this vulnerability if DHE cipher suites are re-enabled.
Horizon Client 4.0 and later do not use any version of OpenSSL with this vulnerability, but Horizon Client 3.5.x uses a version of OpenSSL 1.0.2 that is vulnerable.
Now, what is the solution?
If DHE cipher suites are required with Horizon 6.2.x, then upgrade to Horizon 6.2.3 or later, which uses a version of OpenSSL that does not have this vulnerability.
If you run Horizon Client 3.5.x and connect to servers or gateways that might have this vulnerability, you should upgrade to Horizon Client 4.0 or later.