Bug 1188535 (CVE-2021-2454)

Summary: VUL-0: CVE-2021-2454: virtualbox: Improper input validation
Product: [openSUSE] openSUSE Distribution Reporter: Alexander Bergmann <abergmann>
Component: BasesystemAssignee: Larry Finger <Larry.Finger>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium    
Version: Leap 15.2   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/304757/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Alexander Bergmann 2021-07-21 05:56:54 UTC 
CVE-2021-2454

Risk: Low

CVSSv3.1: 6.1 [CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]	

CVE-ID: CVE-2021-2454

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No
Description

The vulnerability allows a local authenticated user to execute arbitrary code.

The vulnerability exists due to improper input validation within the Core component in Oracle VM VirtualBox. A local authenticated user can exploit this vulnerability to execute arbitrary code.

Mitigation

Install update from vendor's website.
Vulnerable software versions

Oracle VM VirtualBox: 6.1.0, 6.1.2, 6.1.4, 6.1.6, 6.1.8, 6.1.10, 6.1.12, 6.1.14, 6.1.16, 6.1.18, 6.1.20, 6.1.22

References:
https://www.cybersecurity-help.cz/vdb/SB2021072060
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-2454
https://www.oracle.com/security-alerts/cpujul2021.html#CVE-2021-2454
Comment 1 OBSbugzilla Bot 2021-07-21 19:40:16 UTC 
This is an autogenerated message for OBS integration:
This bug (1188535) was mentioned in
https://build.opensuse.org/request/show/907595 15.3 / virtualbox
Comment 2 OBSbugzilla Bot 2021-07-22 03:00:15 UTC 
This is an autogenerated message for OBS integration:
This bug (1188535) was mentioned in
https://build.opensuse.org/request/show/907614 15.2 / virtualbox
Comment 3 OBSbugzilla Bot 2021-07-30 06:20:16 UTC 
This is an autogenerated message for OBS integration:
This bug (1188535) was mentioned in
https://build.opensuse.org/request/show/909278 15.2 / virtualbox
https://build.opensuse.org/request/show/909279 15.3 / virtualbox
Comment 4 Larry Finger 2021-07-30 18:40:58 UTC 
VirtualBox v6.1.24, which has fixed this vulnerability, is in Leap 15.2.
Comment 5 Swamp Workflow Management 2021-08-05 01:58:11 UTC 
openSUSE-SU-2021:1092-1: An update that solves four vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1188045,1188105,1188535,1188536,1188537,1188538
CVE References: CVE-2021-2409,CVE-2021-2442,CVE-2021-2443,CVE-2021-2454
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    virtualbox-6.1.24-lp153.2.6.1, virtualbox-kmp-6.1.24-lp153.2.6.1
Comment 6 Swamp Workflow Management 2021-08-10 04:17:50 UTC 
openSUSE-SU-2021:1114-1: An update that solves four vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1188045,1188105,1188535,1188536,1188537,1188538
CVE References: CVE-2021-2409,CVE-2021-2442,CVE-2021-2443,CVE-2021-2454
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    virtualbox-6.1.26-lp152.2.35.1, virtualbox-kmp-6.1.26-lp152.2.35.1