Bug 1216363 (CVE-2023-22098)

Summary: VUL-0: CVE-2023-22098: virtualbox: virtualbox 7.0.12 security update (Oracle October 2023 CPU)
Product: [openSUSE] openSUSE Distribution Reporter: SMASH SMASH <smash_bz>
Component: SecurityAssignee: Larry Finger <Larry.Finger>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: gabriele.sonnu
Version: Leap 15.6   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/382215/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-22098:7.3:(AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2023-10-18 08:31:14 UTC 
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core).  Supported versions that are affected are Prior to 7.0.12.
Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox.  While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change).  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle VM VirtualBox as well as unauthorized update, insert or delete access to some of Oracle VM VirtualBox accessible data and  unauthorized read access to a subset of Oracle VM VirtualBox accessible data. 

Note: Only applicable to 7.0.x platform. 

CVSS 3.1 Base Score 7.3 (Confidentiality, Integrity and Availability impacts).  CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:H).

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-22098
Comment 1 Larry Finger 2023-10-18 20:33:21 UTC 
Version 7.0.12 of VirtualBox, which has a fix for this vulnerability, has been submitted to Factory/Tumbleweed. The Leap versions will soon follow.
Comment 2 OBSbugzilla Bot 2023-10-19 20:35:01 UTC 
This is an autogenerated message for OBS integration:
This bug (1216363) was mentioned in
https://build.opensuse.org/request/show/1119095 15.4 / virtualbox
Comment 3 OBSbugzilla Bot 2023-10-19 21:25:03 UTC 
This is an autogenerated message for OBS integration:
This bug (1216363) was mentioned in
https://build.opensuse.org/request/show/1119101 15.5 / virtualbox
Comment 4 OBSbugzilla Bot 2023-10-20 01:25:01 UTC 
This is an autogenerated message for OBS integration:
This bug (1216363) was mentioned in
https://build.opensuse.org/request/show/1119117 15.6 / virtualbox
Comment 5 OBSbugzilla Bot 2023-10-27 16:35:02 UTC 
This is an autogenerated message for OBS integration:
This bug (1216363) was mentioned in
https://build.opensuse.org/request/show/1120832 15.4 / virtualbox
https://build.opensuse.org/request/show/1120833 15.5 / virtualbox
Comment 6 Marcus Meissner 2023-11-04 14:05:35 UTC 
openSUSE-SU-2023:0352-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1215463,1216363,1216364,1216365
CVE References: CVE-2023-22098,CVE-2023-22099,CVE-2023-22100
JIRA References: 
Sources used:
openSUSE Leap 15.5 (src):    virtualbox-7.0.12-lp155.2.13.1, virtualbox-kmp-7.0.12-lp155.2.13.1
Comment 7 Marcus Meissner 2023-11-04 14:05:56 UTC 
openSUSE-SU-2023:0351-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1216363,1216364,1216365
CVE References: CVE-2023-22098,CVE-2023-22099,CVE-2023-22100
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    virtualbox-7.0.12-lp154.2.43.1, virtualbox-kmp-7.0.12-lp154.2.43.1