All Vulnerability Reports

USN-5068-1: GD library vulnerabilities


Severity

Medium

Vendor

VMware Tanzu

Versions Affected

  • Canonical Ubuntu 14.04
  • Canonical Ubuntu 16.04
  • Canonical Ubuntu 18.04

Description

It was discovered that GD Graphics Library incorrectly handled certain GD and GD2 files. An attacker could possibly use this issue to cause a crash or expose sensitive information. This issue only affected Ubuntu 20.04 LTS, Ubuntu 18.04 LTS, Ubuntu 16.04 ESM, and Ubuntu 14.04 ESM. (CVE-2017-6363)

It was discovered that GD Graphics Library incorrectly handled certain TGA files. An attacker could possibly use this issue to cause a denial of service or expose sensitive information. (CVE-2021-381)

It was discovered that GD Graphics Library incorrectly handled certain files. An attacker could possibly use this issue to cause a crash. (CVE-2021-40145)

CVEs contained in this USN include: CVE-2021-40145, CVE-2021-38115, CVE-2017-6363

Affected VMware Products and Versions

Severity is medium unless otherwise noted.

  • Isolation Segment
    • 2.7.x versions prior to 2.7.36
    • 2.9.x versions prior to 2.9.24
    • 2.10.x versions prior to 2.10.16
    • 2.11.x versions prior to 2.11.5
  • Operations Manager
    • 2.7.x versions prior to 2.7.25
    • 2.8.x versions prior to 2.8.16
    • 2.9.x versions prior to 2.9.12
    • 2.10.x versions prior to 2.10.3
  • VMware Tanzu Application Service for VMs
    • 2.7.x versions prior to 2.7.38
    • 2.9.x versions prior to 2.9.26
    • 2.10.x versions prior to 2.10.18
    • 2.11.x versions prior to 2.11.6

Mitigation

Users of affected products are strongly encouraged to follow the mitigation below. On the Tanzu Network product page for each release, check the Depends On section and/or Release Notes for this information. Releases that have fixed this issue include:

  • Isolation Segment
    • 2.7.36
    • 2.9.24
    • 2.10.16
    • 2.11.5
  • Operations Manager
    • 2.7.25
    • 2.8.16
    • 2.9.12
    • 2.10.3
  • VMware Tanzu Application Service for VMs
    • 2.7.38
    • 2.9.26
    • 2.10.18
    • 2.11.6

References

History

2021-10-04: Initial vulnerability report published.