Full Report
Broadcom VMware security advisory (AV26-434)
Analysis Summary
# Vulnerability: Multiple Vulnerabilities in Broadcom VMware Tanzu Products
## CVE Details
- **CVE ID**: Not explicitly listed in the provided summary (Reference AV26-434 refers to the Canadian Centre for Cyber Security bulletin ID). Broadcom's internal advisories for these versions typically cover multiple CVEs including dependency-related flaws.
- **CVSS Score**: Not provided (Categorized as "Critical" by the CCCS).
- **CWE**: Frequently associated with Improper Input Validation or Dependency Vulnerabilities in Tanzu suites.
## Affected Systems
- **Products & Versions**:
- Tanzu Greenplum Command Center: Versions prior to 6.17.0 and 7.7.0
- Tanzu Greenplum Data Copy Utility: Versions prior to 2.9.3
- Tanzu for MySQL on Kubernetes: Versions prior to 2.0.3
- Tanzu Greenplum Streaming Server: Versions prior to 2.3.0 (Standard) and 1.3.0 (for Kubernetes)
- Tanzu Greenplum Streaming on Kubernetes: Versions prior to 1.1.0
- Tanzu Greenplum Text: Versions prior to 4.0.0
- Tanzu for Valkey on Kubernetes: Versions prior to 3.3.4 and 3.4.0
## Vulnerability Description
The advisory addresses multiple security flaws across the Tanzu data and messaging portfolio. While the specific technical primitives are contained in the vendor’s restricted advisories, these updates generally address critical security regressions, unauthorized access risks, or vulnerabilities in underlying container images and integrated open-source components (e.g., MySQL or Valkey).
## Exploitation
- **Status**: Not reported as exploited in the wild (based on current advisory status).
- **Complexity**: Variable (Typically Low to Medium for Tanzu platform components).
- **Attack Vector**: Network (Remote).
## Impact
- **Confidentiality**: High
- **Integrity**: High
- **Availability**: High
## Remediation
### Patches
Broadcom recommends upgrading to the following versions or later:
- **Tanzu Greenplum Command Center**: 6.17.0 or 7.7.0
- **Tanzu Greenplum Data Copy Utility**: 2.9.3
- **Tanzu for MySQL on Kubernetes**: 2.0.3
- **Tanzu Greenplum Streaming Server**: 2.3.0 (non-K8s) or 1.3.0 (K8s)
- **Tanzu Greenplum Streaming on Kubernetes**: 1.1.0
- **Tanzu Greenplum Text**: 4.0.0
- **Tanzu for Valkey on Kubernetes**: 3.3.4 or 3.4.0
### Workarounds
No specific workarounds were provided in the bulletin. Immediate patching is the recommended course of action for critical-rated Tanzu vulnerabilities.
## Detection
- **Indicators of Compromise**: Monitor for unusual administrative login attempts or unauthorized container orchestration commands within Tanzu environments.
- **Detection Methods**: Verify current software versions via the Tanzu Operations Manager or CLI tools (`gpcc --version`, `kubectl get pods`). Internal vulnerability scanners should be updated with the latest Broadcom definitions.
## References
- **Vendor Advisories**: hxxps[://]support[.]broadcom[.]com/web/ecx/security-advisory?segment=VT
- **CCCS Bulletin**: hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/broadcom-vmware-security-advisory-av26-434