Bug 1112097 - VUL-0: virtualbox: October 2018 release, multiple vulnerabilities
Summary: VUL-0: virtualbox: October 2018 release, multiple vulnerabilities
Status: RESOLVED FIXED
: 1112503 (view as bug list)
Alias: None
Product: openSUSE Distribution
Classification: openSUSE
Component: Security (show other bugs)
Version: Leap 42.3
Hardware: Other Other
: P3 - Medium : Normal (vote)
Target Milestone: ---
Assignee: Larry Finger
QA Contact: Security Team bot
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-10-17 06:34 UTC by Karol Babioch
Modified: 2019-07-30 16:12 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Robert Frohl 2018-10-17 08:33:34 UTC
Multiple vulnerabilities fixed in current virtualbox release

https://www.oracle.com/technetwork/security-advisory/cpuoct2018verbose-5170927.html#OVIR



CVE-2018-0732
Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core (OpenSSL)). The supported version that is affected is Prior to 5.2.20. Easily exploitable vulnerability allows unauthenticated attacker with network access via TLS to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle VM VirtualBox.
CVSS v3.0 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). 

CVE-2018-2909
Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). The supported version that is affected is Prior to 5.2.20. Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox.
CVSS v3.0 Base Score 8.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H). (legend) [Advisory]

CVE-2018-3287
Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). The supported version that is affected is Prior to 5.2.20. Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox.
CVSS v3.0 Base Score 8.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H). (legend) [Advisory]

CVE-2018-3288
Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). The supported version that is affected is Prior to 5.2.20. Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox.
CVSS v3.0 Base Score 8.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H). (legend) [Advisory]

CVE-2018-3289
Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). The supported version that is affected is Prior to 5.2.20. Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox.
CVSS v3.0 Base Score 8.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H). (legend) [Advisory]

CVE-2018-3290
Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). The supported version that is affected is Prior to 5.2.20. Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox.
CVSS v3.0 Base Score 8.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H). (legend) [Advisory]

CVE-2018-3291
Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). The supported version that is affected is Prior to 5.2.20. Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox.
CVSS v3.0 Base Score 8.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H). (legend) [Advisory]

CVE-2018-3292Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). The supported version that is affected is Prior to 5.2.20. Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox.
CVSS v3.0 Base Score 8.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H). (legend) [Advisory]

CVE-2018-3293
Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). The supported version that is affected is Prior to 5.2.20. Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox.
CVSS v3.0 Base Score 8.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H). (legend) [Advisory]

CVE-2018-3294
Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). The supported version that is affected is Prior to 5.2.20. Easily exploitable vulnerability allows low privileged attacker with network access via VRDP to compromise Oracle VM VirtualBox. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox.
CVSS v3.0 Base Score 9.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H). (legend) [Advisory]

CVE-2018-3295
Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). The supported version that is affected is Prior to 5.2.20. Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox.
CVSS v3.0 Base Score 8.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H). (legend) [Advisory]

CVE-2018-3296
Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). The supported version that is affected is Prior to 5.2.20. Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox.
CVSS v3.0 Base Score 8.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H). (legend) [Advisory]

CVE-2018-3297
Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). The supported version that is affected is Prior to 5.2.20. Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox.
CVSS v3.0 Base Score 8.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H). (legend) [Advisory]

CVE-2018-3298
Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). The supported version that is affected is Prior to 5.2.20. Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox.
CVSS v3.0 Base Score 8.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H). (legend) [Advisory]
Comment 2 Andreas Stieger 2018-10-19 08:37:11 UTC
*** Bug 1112503 has been marked as a duplicate of this bug. ***
Comment 3 Swamp Workflow Management 2018-10-24 19:40:06 UTC
This is an autogenerated message for OBS integration:
This bug (1112097) was mentioned in
https://build.opensuse.org/request/show/644415 15.0 / virtualbox
https://build.opensuse.org/request/show/644416 42.3 / virtualbox
Comment 4 Swamp Workflow Management 2018-10-30 00:50:12 UTC
This is an autogenerated message for OBS integration:
This bug (1112097) was mentioned in
https://build.opensuse.org/request/show/645384 Factory / virtualbox
Comment 5 Swamp Workflow Management 2018-10-30 11:10:05 UTC
openSUSE-SU-2018:3558-1: An update that fixes 14 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1112097
CVE References: CVE-2018-0732,CVE-2018-2909,CVE-2018-3287,CVE-2018-3288,CVE-2018-3289,CVE-2018-3290,CVE-2018-3291,CVE-2018-3292,CVE-2018-3293,CVE-2018-3294,CVE-2018-3295,CVE-2018-3296,CVE-2018-3297,CVE-2018-3298
Sources used:
openSUSE Leap 42.3 (src):    virtualbox-5.2.20-60.1
openSUSE Leap 15.0 (src):    virtualbox-5.2.20-lp150.4.20.1
Comment 6 Swamp Workflow Management 2018-11-03 07:40:07 UTC
This is an autogenerated message for OBS integration:
This bug (1112097) was mentioned in
https://build.opensuse.org/request/show/646137 Factory / virtualbox
Comment 7 Swamp Workflow Management 2018-11-03 19:40:05 UTC
This is an autogenerated message for OBS integration:
This bug (1112097) was mentioned in
https://build.opensuse.org/request/show/646211 Factory / virtualbox
Comment 8 Larry Finger 2018-12-10 14:34:13 UTC
Fixed by update.
Comment 9 Swamp Workflow Management 2019-02-23 21:50:31 UTC
This is an autogenerated message for OBS integration:
This bug (1112097) was mentioned in
https://build.opensuse.org/request/show/678434 15.1 / virtualbox
Comment 10 Swamp Workflow Management 2019-07-30 16:12:09 UTC
openSUSE-SU-2019:1814-1: An update that fixes 52 vulnerabilities is now available.

Category: security (important)
Bug References: 1097248,1098050,1112097,1113894,1115041,1116050,1130503,1130588,1132379,1132439,1132827,1133289,1133492,1141801
CVE References: CVE-2018-0734,CVE-2018-11763,CVE-2018-11784,CVE-2018-3288,CVE-2018-3289,CVE-2018-3290,CVE-2018-3291,CVE-2018-3292,CVE-2018-3293,CVE-2018-3294,CVE-2018-3295,CVE-2018-3296,CVE-2018-3297,CVE-2018-3298,CVE-2019-1543,CVE-2019-2446,CVE-2019-2448,CVE-2019-2450,CVE-2019-2451,CVE-2019-2508,CVE-2019-2509,CVE-2019-2511,CVE-2019-2525,CVE-2019-2527,CVE-2019-2554,CVE-2019-2555,CVE-2019-2556,CVE-2019-2574,CVE-2019-2656,CVE-2019-2657,CVE-2019-2678,CVE-2019-2679,CVE-2019-2680,CVE-2019-2690,CVE-2019-2696,CVE-2019-2703,CVE-2019-2721,CVE-2019-2722,CVE-2019-2723,CVE-2019-2848,CVE-2019-2850,CVE-2019-2859,CVE-2019-2863,CVE-2019-2864,CVE-2019-2865,CVE-2019-2866,CVE-2019-2867,CVE-2019-2873,CVE-2019-2874,CVE-2019-2875,CVE-2019-2876,CVE-2019-2877
Sources used:
openSUSE Leap 15.1 (src):    virtualbox-6.0.10-lp151.2.6.1
openSUSE Leap 15.0 (src):    virtualbox-6.0.10-lp150.4.36.1