Bug 1188537 - (CVE-2021-2442) VUL-0: CVE-2021-2442: virtualbox: Improper input validation
(CVE-2021-2442)
VUL-0: CVE-2021-2442: virtualbox: Improper input validation
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Basesystem
Leap 15.2
Other Other
: P3 - Medium : Normal (vote)
: ---
Assigned To: Larry Finger
Security Team bot
https://smash.suse.de/issue/304745/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-07-21 05:56 UTC by Alexander Bergmann
Modified: 2021-08-10 04:18 UTC (History)
0 users

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2021-07-21 05:56:59 UTC
CVE-2021-2442

Risk: Low

CVSSv3.1: 5.2 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C] [PCI]	

CVE-ID: CVE-2021-2442

CWE-ID: CWE-20 - Improper Input Validation

Exploit availability: No
Description

The vulnerability allows a local privileged user to a crash the entire system.

The vulnerability exists due to improper input validation within the Core component in Oracle VM VirtualBox. A local privileged user can exploit this vulnerability to a crash the entire system.

Mitigation

Install update from vendor's website.
Vulnerable software versions

Oracle VM VirtualBox: 6.1.0, 6.1.2, 6.1.4, 6.1.6, 6.1.8, 6.1.10, 6.1.12, 6.1.14, 6.1.16, 6.1.18, 6.1.20, 6.1.22

References:
https://www.cybersecurity-help.cz/vdb/SB2021072060
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-2442
https://www.oracle.com/security-alerts/cpujul2021.html#CVE-2021-2442
Comment 1 OBSbugzilla Bot 2021-07-21 19:40:24 UTC
This is an autogenerated message for OBS integration:
This bug (1188537) was mentioned in
https://build.opensuse.org/request/show/907595 15.3 / virtualbox
Comment 2 OBSbugzilla Bot 2021-07-22 03:00:24 UTC
This is an autogenerated message for OBS integration:
This bug (1188537) was mentioned in
https://build.opensuse.org/request/show/907614 15.2 / virtualbox
Comment 3 OBSbugzilla Bot 2021-07-30 06:20:24 UTC
This is an autogenerated message for OBS integration:
This bug (1188537) was mentioned in
https://build.opensuse.org/request/show/909278 15.2 / virtualbox
https://build.opensuse.org/request/show/909279 15.3 / virtualbox
Comment 4 Larry Finger 2021-07-30 18:55:45 UTC
VirtualBox v6.1.24, which has fixed this vulnerability, is in Leap 15.2.
Comment 5 Swamp Workflow Management 2021-08-05 01:58:24 UTC
openSUSE-SU-2021:1092-1: An update that solves four vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1188045,1188105,1188535,1188536,1188537,1188538
CVE References: CVE-2021-2409,CVE-2021-2442,CVE-2021-2443,CVE-2021-2454
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    virtualbox-6.1.24-lp153.2.6.1, virtualbox-kmp-6.1.24-lp153.2.6.1
Comment 6 Swamp Workflow Management 2021-08-10 04:18:03 UTC
openSUSE-SU-2021:1114-1: An update that solves four vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1188045,1188105,1188535,1188536,1188537,1188538
CVE References: CVE-2021-2409,CVE-2021-2442,CVE-2021-2443,CVE-2021-2454
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    virtualbox-6.1.26-lp152.2.35.1, virtualbox-kmp-6.1.26-lp152.2.35.1