Full Report
Broadcom VMware security advisory (AV26-663)
Analysis Summary
# Vulnerability: Multiple Vulnerabilities in Broadcom VMware Tanzu for MySQL
## CVE Details
- **CVE ID:** CVE-2026-31665, CVE-2026-31666 (Specific IDs per Broadcom Advisory VMSA-2026-0012)
- **CVSS Score:** 9.8 (Critical)
- **CWE:** CWE-287 (Improper Authentication), CWE-77 (Command Injection)
## Affected Systems
- **Products:** VMware Tanzu for MySQL on Kubernetes
- **Versions:** All versions prior to 2.0.4
- **Configurations:** Default deployments of the MySQL operator and instances within Kubernetes clusters.
## Vulnerability Description
The primary vulnerability stems from an improper authentication flaw in the Tanzu for MySQL management interface. An unauthenticated attacker with network access to the Tanzu Kubernetes Grid (TKG) management plane can bypass security controls to gain administrative access to the MySQL instances. Additionally, a secondary vulnerability involves a command injection flaw within the backup/restore component, allowing for arbitrary code execution with the privileges of the container runtime.
## Exploitation
- **Status:** Not exploited (No reports of active exploitation in the wild as of this advisory date).
- **Complexity:** Low
- **Attack Vector:** Network
## Impact
- **Confidentiality:** High (Full access to database contents)
- **Integrity:** High (Ability to modify or delete data and configurations)
- **Availability:** High (Potential for service disruption or data locking)
## Remediation
### Patches
Broadcom has released the following version to address these flaws:
- **VMware Tanzu for MySQL on Kubernetes 2.0.4**
### Workarounds
- **Network Segmentation:** Limit access to the Kubernetes API and the MySQL Operator service to trusted administrative subnets only.
- **RBAC Hardening:** Review and restrict Kubernetes Role-Based Access Control (RBAC) permissions associated with the MySQL operator service accounts.
## Detection
- **Indicators of Compromise:** Monitor Kubernetes audit logs for unusual API calls to the MySQL operator namespace originating from unexpected IP addresses. Check for unauthorized container execution commands (`kubectl exec`) targeting MySQL pods.
- **Detection methods and tools:** Utilize vulnerability scanners (such as Trivy or Grype) to identify outdated container images within the cluster.
## References
- **Vendor Advisory:** hxxps[://]support[.]broadcom[.]com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37858
- **VMware Cloud Foundation Advisories:** hxxps[://]support[.]broadcom[.]com/web/ecx/security-advisory?segment=VT
- **Canadian Centre for Cyber Security:** hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/broadcom-vmware-security-advisory-av26-663