Bug 1188535 – VUL-0: CVE-2021-2454: virtualbox: Improper input validation

Bug 1188535 - (CVE-2021-2454) VUL-0: CVE-2021-2454: virtualbox: Improper input validation

(CVE-2021-2454)
Summary:	VUL-0: CVE-2021-2454: virtualbox: Improper input validation

Status:	RESOLVED FIXED

Classification:	openSUSE
Product:	openSUSE Distribution
Classification:	openSUSE
Component:	Basesystem
Version:	Leap 15.2
Hardware:	Other Other

Priority:	P3 - Medium Severity: Major (vote)
Target Milestone:	---
Assigned To:	Larry Finger
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/304757/
Whiteboard:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2021-07-21 05:56 UTC by Alexander Bergmann
Modified:	2021-08-10 04:17 UTC (History)
CC List:	0 users

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alexander Bergmann 2021-07-21 05:56:54 UTC

CVE-2021-2454

Risk: Low

CVSSv3.1: 6.1 [CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C] [PCI]	

CVE-ID: CVE-2021-2454

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No
Description

The vulnerability allows a local authenticated user to execute arbitrary code.

The vulnerability exists due to improper input validation within the Core component in Oracle VM VirtualBox. A local authenticated user can exploit this vulnerability to execute arbitrary code.

Mitigation

Install update from vendor's website.
Vulnerable software versions

Oracle VM VirtualBox: 6.1.0, 6.1.2, 6.1.4, 6.1.6, 6.1.8, 6.1.10, 6.1.12, 6.1.14, 6.1.16, 6.1.18, 6.1.20, 6.1.22

References:
https://www.cybersecurity-help.cz/vdb/SB2021072060
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-2454
https://www.oracle.com/security-alerts/cpujul2021.html#CVE-2021-2454

Comment 1 OBSbugzilla Bot 2021-07-21 19:40:16 UTC

This is an autogenerated message for OBS integration:
This bug (1188535) was mentioned in
https://build.opensuse.org/request/show/907595 15.3 / virtualbox

Comment 2 OBSbugzilla Bot 2021-07-22 03:00:15 UTC

This is an autogenerated message for OBS integration:
This bug (1188535) was mentioned in
https://build.opensuse.org/request/show/907614 15.2 / virtualbox

Comment 3 OBSbugzilla Bot 2021-07-30 06:20:16 UTC

This is an autogenerated message for OBS integration:
This bug (1188535) was mentioned in
https://build.opensuse.org/request/show/909278 15.2 / virtualbox
https://build.opensuse.org/request/show/909279 15.3 / virtualbox

Comment 4 Larry Finger 2021-07-30 18:40:58 UTC

VirtualBox v6.1.24, which has fixed this vulnerability, is in Leap 15.2.

Comment 5 Swamp Workflow Management 2021-08-05 01:58:11 UTC

openSUSE-SU-2021:1092-1: An update that solves four vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1188045,1188105,1188535,1188536,1188537,1188538
CVE References: CVE-2021-2409,CVE-2021-2442,CVE-2021-2443,CVE-2021-2454
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    virtualbox-6.1.24-lp153.2.6.1, virtualbox-kmp-6.1.24-lp153.2.6.1

Comment 6 Swamp Workflow Management 2021-08-10 04:17:50 UTC

openSUSE-SU-2021:1114-1: An update that solves four vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1188045,1188105,1188535,1188536,1188537,1188538
CVE References: CVE-2021-2409,CVE-2021-2442,CVE-2021-2443,CVE-2021-2454
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    virtualbox-6.1.26-lp152.2.35.1, virtualbox-kmp-6.1.26-lp152.2.35.1