Issue
A vulnerability has been identified that, if exploited, could result in the following security vulnerability:
| CVD-ID | Description | Pre-Requisites | CWE | CVSS |
| CVE-2023 | Users with only access to launch VDA applications can launch an unauthorized desktop | Authorized user with the ability to launch a virtual application | CWE-284 | 6.3 |
Additional Information
The vulnerability affects the following supported versions of Windows Virtual Delivery Agent:
Current Release (CR):
- Citrix Virtual Apps and Desktops versions before 2305
Long Term Service Release (LTSR):
- Citrix Virtual Apps and Desktops 2203 LTSR before CU3
- Citrix Virtual Apps and Desktops 1912 LTSR before CU7
The vulnerability affects the following supported versions of Linux Virtual Delivery Agent:
Current Release (CR):
- Linux Virtual Delivery Agent version before 2305
Long Term Service Release (LTSR):
- Linux Virtual Delivery Agent 2203 LTSR before CU3
- Linux Virtual Delivery Agent 1912 LTSR before CU7 hotfix 1(19.12.7001)
Recommended Action
Recent versions of Citrix Virtual Apps and Desktops contain fixes for this vulnerability.
Citrix Virtual Apps and Desktops:
- Citrix Virtual Apps and Desktops 2305 and later versions
- Citrix Virtual Apps and Desktops 2203 LTSR CU3 and later cumulative updates
- Citrix Virtual Apps and Desktops 1912 LTSR CU7 and later cumulative updates
Linux Virtual Delivery Agent:
- Linux Virtual Delivery Agent 2305 and later versions
- Linux Virtual Delivery Agent 2203 LTSR CU3 and later cumulative updates
- Linux Virtual Delivery Agent 1912 LTSR CU7 hotfix 1(19.12.7001) and later cumulative updates
Citrix strongly recommends that customers upgrade to versions of Virtual Apps and Desktops and Linux Virtual Delivery Agent that contain the fixes as soon as possible.
More Information
Read the complete bulletin here.
For assistance from the Kraft Kennedy team, please contact us.