VMware Tanzu products update for util-linux

1) Memory leak

EUVDB-ID: #VU64464

Risk: Low

CVSSv4.0: 1.7 [CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2016-5011

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

Exploit availability: No

Description

The vulnerability allows an attacker with physical access to perform DoS attack on the target system.

The vulnerability exists due memory leak in the parse_dos_extended function in partitions/dos.c in the libblkid library in util-linux. An attacker with physical USB access can perform denial of service attack via a crafted MSDOS partition table with an extended partition boot record at zero offset.

Mitigation

Install update from vendor's website.

Vulnerable software versions

VMware Tanzu Application Service for VMs: All versions

Tanzu Greenplum for Kubernetes: 1.0.0 - 1.13.0

Isolation Segment: All versions

VMware Tanzu Operations Manager: before 2.9.41, 2.10.44, 2.9.41

CPE2.3

• cpe:2.3:a:vmware:vmware_tanzu_application_service_for_vms:*:*:*:*:*:*:*:*
• cpe:2.3:a:vmware:tanzu_greenplum_for_kubernetes:1.0.0:*:*:*:*:*:*:*
• cpe:2.3:a:vmware:tanzu_greenplum_for_kubernetes:1.0.1:*:*:*:*:*:*:*
• cpe:2.3:a:vmware:tanzu_greenplum_for_kubernetes:1.1.0:*:*:*:*:*:*:*
• cpe:2.3:a:vmware:isolation_segment:*:*:*:*:*:*:*:*
• cpe:2.3:a:vmware:vmware_tanzu_operations_manager:*:*:*:*:*:*:*:*

External links

https://tanzu.vmware.com/security/usn-5478-1

Q & A

Can this vulnerability be exploited remotely?

No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.