VMware Tanzu products update for tcpdump
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2018-16301 CVE-2020-8037 |
| CWE-ID | CWE-125 CWE-770 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Isolation Segment Server applications / Other server solutions VMware Tanzu Application Service for VMs Server applications / Other server solutions |
| Vendor | VMware, Inc |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Out-of-bounds read
EUVDB-ID: #VU21949
Risk: Low
CVSSv4.0: 0.5 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-16301
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary condition in libpcap when during pcapng reading. A remote attacker can pass specially crafted data to the application that uses the affected library, trigger out-of-bounds read error and read contents of memory on the system or crash the application.
MitigationInstall update from vendor's website.
Vulnerable software versionsIsolation Segment: 2.7 - 2.12.6
VMware Tanzu Application Service for VMs: 2.7.0 - 2.12.11
CPE2.3- cpe:2.3:a:vmware:isolation_segment:2.7.43:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:isolation_segment:2.10.23:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:isolation_segment:2.11.12:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:isolation_segment:2.12.6:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:vmware_tanzu_application_service_for_vms:2.7.48:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:vmware_tanzu_application_service_for_vms:2.10.30:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:vmware_tanzu_application_service_for_vms:2.11.18:*:*:*:*:*:*:*
- cpe:2.3:a:vmware:vmware_tanzu_application_service_for_vms:2.12.11:*:*:*:*:*:*:*
http://tanzu.vmware.com/security/usn-5331-2
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Allocation of Resources Without Limits or Throttling
EUVDB-ID: #VU48587
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-8037
CWE-ID:
CWE-770 - Allocation of Resources Without Limits or Throttling
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
The ppp decapsulator in tcpdump 4.9.3 can be convinced to allocate a large amount of memory.
MitigationInstall update from vendor's website.
Vulnerable software versionsIsolation Segment: 2.7 - 2.12.6
VMware Tanzu Application Service for VMs: 2.7.0 - 2.12.11
CPE2.3http://tanzu.vmware.com/security/usn-5331-2
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
