Severity

medium

Vendor

VMware Tanzu

Versions Affected

• Canonical Ubuntu 22.04

It was discovered that libde265 could be made to write out of bounds. If a user or automated system were tricked into opening a specially crafted file, an attacker could possibly use this issue to cause a denial of service or execute arbitrary code. (CVE-2022-43244, CVE-2022-43249, CVE-2022-43250, CVE-2022-47665, CVE-2023-25221) It was discovered that libde265 could be made to read out of bounds. If a user or automated system were tricked into opening a specially crafted file, an attacker could possibly use this issue to cause a denial of service. (CVE-2022-43245) It was discovered that libde265 could be made to dereference invalid memory. If a user or automated system were tricked into opening a specially crafted file, an attacker could possibly use this issue to cause a denial of service. (CVE-2023-24751, CVE-2023-24752, CVE-2023-24754, CVE-2023-24755, CVE-2023-24756, CVE-2023-24757, CVE-2023-24758) Update Instructions: Run `sudo pro fix USN-6659-1` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libde265-0 - 1.0.4-1ubuntu0.3 libde265-examples - 1.0.4-1ubuntu0.3 libde265-dev - 1.0.4-1ubuntu0.3 No subscription required.

Fixed and Unaffected VMware Products and Versions

• Cflinixfs4
• 1.75.0 or greater
• CF Deployment
• 39.1.0 or greater
• Isolation Segment
• 4.0.19+LTS-T or greater
• 5.0.9 or greater
• 6.0.x unaffected
• VMware Tanzu Applications Service for VMs
• 4.0.19+LTS-T or greater
• 5.0.9 or greater
• 6.0.x unaffected

References

https://ubuntu.com/security/notices/USN-6659-1

https://www.cloudfoundry.org/blog/usn-6659-1

https://cve.mitre.org/cgi-bin/cvename.cgi?name=usn-6659-1

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24839

History

2024-02-26: Initial vulnerability report published.