Bug 1216363 (CVE-2023-22098) - VUL-0: CVE-2023-22098: virtualbox: virtualbox 7.0.12 security update (Oracle October 2023 CPU)
Summary: VUL-0: CVE-2023-22098: virtualbox: virtualbox 7.0.12 security update (Oracle ...
Status: RESOLVED FIXED
Alias: CVE-2023-22098
Product: openSUSE Distribution
Classification: openSUSE
Component: Security (show other bugs)
Version: Leap 15.6
Hardware: Other Other
: P3 - Medium : Major (vote)
Target Milestone: ---
Assignee: Larry Finger
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/382215/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-22098:7.3:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2023-10-18 08:31 UTC by SMASH SMASH
Modified: 2023-11-04 14:05 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description SMASH SMASH 2023-10-18 08:31:14 UTC 
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core).  Supported versions that are affected are Prior to 7.0.12.
Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox.  While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change).  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle VM VirtualBox as well as unauthorized update, insert or delete access to some of Oracle VM VirtualBox accessible data and  unauthorized read access to a subset of Oracle VM VirtualBox accessible data. 

Note: Only applicable to 7.0.x platform. 

CVSS 3.1 Base Score 7.3 (Confidentiality, Integrity and Availability impacts).  CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:H).

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-22098
Comment 1 Larry Finger 2023-10-18 20:33:21 UTC 
Version 7.0.12 of VirtualBox, which has a fix for this vulnerability, has been submitted to Factory/Tumbleweed. The Leap versions will soon follow.
Comment 2 OBSbugzilla Bot 2023-10-19 20:35:01 UTC 
This is an autogenerated message for OBS integration:
This bug (1216363) was mentioned in
https://build.opensuse.org/request/show/1119095 15.4 / virtualbox
Comment 3 OBSbugzilla Bot 2023-10-19 21:25:03 UTC 
This is an autogenerated message for OBS integration:
This bug (1216363) was mentioned in
https://build.opensuse.org/request/show/1119101 15.5 / virtualbox
Comment 4 OBSbugzilla Bot 2023-10-20 01:25:01 UTC 
This is an autogenerated message for OBS integration:
This bug (1216363) was mentioned in
https://build.opensuse.org/request/show/1119117 15.6 / virtualbox
Comment 5 OBSbugzilla Bot 2023-10-27 16:35:02 UTC 
This is an autogenerated message for OBS integration:
This bug (1216363) was mentioned in
https://build.opensuse.org/request/show/1120832 15.4 / virtualbox
https://build.opensuse.org/request/show/1120833 15.5 / virtualbox
Comment 6 Marcus Meissner 2023-11-04 14:05:35 UTC 
openSUSE-SU-2023:0352-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1215463,1216363,1216364,1216365
CVE References: CVE-2023-22098,CVE-2023-22099,CVE-2023-22100
JIRA References: 
Sources used:
openSUSE Leap 15.5 (src):    virtualbox-7.0.12-lp155.2.13.1, virtualbox-kmp-7.0.12-lp155.2.13.1
Comment 7 Marcus Meissner 2023-11-04 14:05:56 UTC 
openSUSE-SU-2023:0351-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1216363,1216364,1216365
CVE References: CVE-2023-22098,CVE-2023-22099,CVE-2023-22100
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    virtualbox-7.0.12-lp154.2.43.1, virtualbox-kmp-7.0.12-lp154.2.43.1