Support Content Notification - Support Portal

USN-6627-1: libde265 vulnerabilities

Product/Component

VMware Tanzu Greenplum

0 more products

Notification Id

24845

Last Updated

25 July 2024

Initial Publication Date

25 July 2024

Status

CLOSED

Severity

MEDIUM

CVSS Base Score

WorkAround

Affected CVE

CVE-2021-36408;CVE-2021-35452;CVE-2021-36409;CVE-2021-36410;CVE-2021-36411;CVE-2022-1253;CVE-2022-43235;CVE-2022-43236;CVE-2022-43237;CVE-2022-43238;CVE-2022-43239;CVE-2022-43240;CVE-2022-43241;CVE-2022-43242;CVE-2022-43243;CVE-2022-43248;CVE-2022-43252;CVE-2022-43253

Severity

medium

Vendor

VMware Tanzu

Versions Affected

Canonical Ubuntu 22.04

It was discovered that libde265 could be made to read out of bounds. If a user or automated system were tricked into opening a specially crafted file, an attacker could possibly use this issue to cause a denial of service. (CVE-2021-35452, CVE-2021-36411, CVE-2022-43238, CVE-2022-43241, CVE-2022-43242) It was discovered that libde265 did not properly manage memory. If a user or automated system were tricked into opening a specially crafted file, an attacker could possibly use this issue to cause a denial of service or execute arbitrary code. This issue only affected Ubuntu 22.04 LTS. (CVE-2021-36408) It was discovered that libde265 contained a logical error. If a user or automated system were tricked into opening a specially crafted file, an attacker could possibly use this issue to cause a denial of service. (CVE-2021-36409) It was discovered that libde265 could be made to write out of bounds. If a user or automated system were tricked into opening a specially crafted file, an attacker could possibly use this issue to cause a denial of service or execute arbitrary code. (CVE-2021-36410, CVE-2022-43235, CVE-2022-43236, CVE-2022-43237, CVE-2022-43239, CVE-2022-43240, CVE-2022-43243, CVE-2022-43248, CVE-2022-43252, CVE-2022-43253) It was discovered that libde265 could be made to write out of bounds. If a user or automated system were tricked into opening a specially crafted file, an attacker could possibly use this issue to cause a denial of service or execute arbitrary code. This issue only affected Ubuntu 22.04 LTS. (CVE-2022-1253) Update Instructions: Run `sudo pro fix USN-6627-1` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libde265-0 - 1.0.4-1ubuntu0.2 libde265-examples - 1.0.4-1ubuntu0.2 libde265-dev - 1.0.4-1ubuntu0.2 No subscription required

Fixed and Unaffected VMware Products and Versions

Cflinixfs4

1.71.0 or greater

CF Deployment

37.5.0 or greater

Tanzu Greenplum for Kubernetes

2.0.0 or greater

Isolation Segment

4.0.18+LTS-T or greater
5.0.8 or greater
6.0.x unaffected

VMware Tanzu Applications Service for VMs

4.0.18+LTS-T or greater
5.0.8 or greater
6.0.x unaffected

References

https://ubuntu.com/security/notices/USN-6627-1

https://www.cloudfoundry.org/blog/usn-6627-1

https://cve.mitre.org/cgi-bin/cvename.cgi?name=usn-6627-1

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24845

History

2024-02-08: Initial vulnerability report published.