Security vulnerability CVE-2016-0701, Horizon 6 and Horizon Client

VMware has released a KB (Security vulnerability CVE-2016-0701, Horizon 6 and Horizon Client-2145144) for customers that they are using VMware Horizon 6 about security issue on OpenSSL.

OpenSSL 1.0.2 through 1.0.2e contain the vulnerability CVE-2016-0701 (see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0701 for more information). This vulnerability can be exploited when DHE cipher suites are used. Note that ECDHE cipher suites are not vulnerable.

Horizon releases prior to 6.2 do not use any version of OpenSSL 1.0.2 and are not affected by this vulnerability. Horizon 6, versions 6.2, 6.2.1 and 6.2.2 include a version of OpenSSL 1.0.2 that is vulnerable, but disable DHE cipher suites by default. These releases will be exposed to this vulnerability if DHE cipher suites are re-enabled.

Horizon Client 4.0 and later do not use any version of OpenSSL with this vulnerability, but Horizon Client 3.5.x uses a version of OpenSSL 1.0.2 that is vulnerable.

Now, what is the solution?

If DHE cipher suites are required with Horizon 6.2.x, then upgrade to Horizon 6.2.3 or later, which uses a version of OpenSSL that does not have this vulnerability.

If you run Horizon Client 3.5.x and connect to servers or gateways that might have this vulnerability, you should upgrade to Horizon Client 4.0 or later.

Davoud Teimouri

Davoud Teimouri is as a professional blogger, vExpert 2015/2016/2017/2018/2019, VCA, MCITP. This blog is started with simple posts and now, it has large following readers.

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to our newsletter and join other subscribers

Holler Box