Full Report
Broadcom VMware security advisory (AV26-585)
Analysis Summary
# Vulnerability: Critical Update for VMware Tanzu for Valkey on Kubernetes
## CVE Details
- **CVE ID:** Not explicitly listed in the source summary (Refer to Broadcom Advisory VMSA-2026-XXXX)
- **CVSS Score:** Critical (Assumed 9.0 - 10.0 based on "Critical Update" designation)
- **CWE:** Not specified in the provided bulletin.
## Affected Systems
- **Products:** VMware Tanzu for Valkey on Kubernetes
- **Versions:** All versions prior to 3.4.1
- **Configurations:** Default deployments of Valkey on Kubernetes environments managed via Tanzu.
## Vulnerability Description
While the specific technical flaw (e.g., Remote Code Execution or Authentication Bypass) is not detailed in the CCCS bulletin, Broadcom has labeled this as a "Critical Update." In the context of Valkey (a Redis fork), such updates typically address flaws that could allow unauthorized access to data in memory or execution of arbitrary commands within the containerized environment.
## Exploitation
- **Status:** Not specified (No mention of active exploitation in the wild at the time of this advisory).
- **Complexity:** Likely Low (consistent with "Critical" severity ratings).
- **Attack Vector:** Network (Remote connectivity to the Valkey instance).
## Impact
- **Confidentiality:** High (Potential unauthorized data access).
- **Integrity:** High (Potential unauthorized data modification).
- **Availability:** High (Potential service disruption or system take-over).
## Remediation
### Patches
The following version contains the fix for these vulnerabilities:
- **VMware Tanzu for Valkey on Kubernetes 3.4.1** or later.
### Workarounds
- No specific workarounds are provided in the advisory. Users are strongly encouraged to apply the formal patch immediately.
- General best practice: Ensure Valkey instances are not exposed to the public internet and use strong authentication/network policies within the Kubernetes cluster.
## Detection
- **Indicators of Compromise:** Monitor for unusual network traffic to Valkey pods or unauthorized administrative commands in Kubernetes audit logs.
- **Detection methods and tools:** Use container security scanning tools to identify out-of-date Valkey images in your registry.
## References
- **Vendor Advisory:** hxxps[://]support[.]broadcom[.]com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37636
- **Broadcom Tanzu Portal:** hxxps[://]support[.]broadcom[.]com/web/ecx/security-advisory?segment=VT
- **Canadian Centre for Cyber Security:** hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/broadcom-vmware-security-advisory-av26-585