VMSA-2022-0012

• VMware Horizon Client for Linux

Multiple vulnerabilities in VMware Horizon Client for Linux were privately reported to VMware. Updates are available to remediate these vulnerabilities in affected VMware products.

VMware Horizon Client for Linux contains a local privilege escalation vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.3.

A low-privileged malicious actor with local access to Horizon Client for Linux may be able to change the default shared folder location due to a vulnerable symbolic link. Successful exploitation can result in linking to a root owned file.

To remediate CVE-2022-22962 apply the patches listed in the ‘Fixed Version’ column of the ‘Response Matrix’ found below.

None.

None.

None.

VMware would like to thank Jack Luketina for reporting this issue to us.

VMware Horizon Client for Linux contains a local privilege escalation vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.3.

A low-privileged malicious actor with local access to Horizon Client for Linux may be able to escalate privileges to root due to a vulnerable configuration file.

To remediate CVE-2022-22964 apply the patches listed in the ‘Fixed Version’ column of the ‘Response Matrix’ found below.

None.

None.

None.

VMware would like to thank Jack Luketina for reporting this issue to us.

Fixed Version(s) and Release Notes:

VMware Horizon Client for Linux 2203

Downloads and Documentation:

https://docs.vmware.com/en/VMware-Horizon-Client-for-Linux/2203/rn/vmware-horizon-client-for-linux-2203-release-notes/index.html

Mitre CVE Dictionary Links:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22962

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22964

FIRST CVSSv3 Calculator:
CVE-2022-22962: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CVE-2022-22964: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

2022-04-06 VMSA-2022-0012
Initial security advisory.

E-mail list for product security notifications and announcements:

https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce 

This Security Advisory is posted to the following lists:  

security-announce@lists.vmware.com  

bugtraq@securityfocus.com  

fulldisclosure@seclists.org 

E-mail: security@vmware.com

PGP key at:

https://kb.vmware.com/kb/1055 

VMware Security Advisories

https://www.vmware.com/security/advisories 

VMware Security Response Policy

https://www.vmware.com/support/policies/security_response.html 

VMware Lifecycle Support Phases

https://www.vmware.com/support/policies/lifecycle.html 

VMware Security & Compliance Blog  

https://blogs.vmware.com/security 

Twitter

https://twitter.com/VMwareSRC

Copyright 2022 VMware Inc. All rights reserved.