Your security team was notified that a HIGH CVE had been identified, making their PCF VMs vulnerable.

Will a new stemcell be available to patch this CVE?

For more information on this CVE, refer to CVE-2021-38649 - Security Update Guide - Microsoft - Open Management Infrastructure Elevation of Privilege Vulnerability.

CVE-2021-38649 describes a vulnerability in the omiagent used on Azure. It is not a part of Tanzu stemcells.

However, a customer can update their VMs with the latest Tanzu Azure stemcell to trigger side-loading of the patched omiagent from Azure.

For more information from the vendor Microsoft, see this bulletin: 

• Additional Guidance Regarding OMI Vulnerabilities within Azure VM Management Extensions