Bug 1194924 - (CVE-2022-21394) VUL-0: CVE-2022-21394: Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.32.
(CVE-2022-21394)
VUL-0: CVE-2022-21394: Vulnerability in the Oracle VM VirtualBox product of O...
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Security
Leap 15.3
Other Other
: P3 - Medium : Normal (vote)
: ---
Assigned To: Larry Finger
Security Team bot
https://smash.suse.de/issue/321173/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-01-20 09:36 UTC by Carlos López
Modified: 2022-05-06 02:40 UTC (History)
0 users

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Carlos López 2022-01-20 09:36:57 UTC
CVE-2022-21394

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization
(component: Core). The supported version that is affected is Prior to 6.1.32.
Easily exploitable vulnerability allows low privileged attacker with logon to
the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM
VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may
significantly impact additional products. Successful attacks of this
vulnerability can result in unauthorized access to critical data or complete
access to all Oracle VM VirtualBox accessible data. CVSS 3.1 Base Score 6.5
(Confidentiality impacts). CVSS Vector:
(CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N).

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-21394
https://www.oracle.com/security-alerts/cpujan2022.html#CVE-2022-21394
https://www.oracle.com/security-alerts/cpujan2022.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21394
Comment 1 Larry Finger 2022-01-20 19:26:57 UTC
VirtualBox 6.1.32, which fixes this issue, has just been submitted to Factory.
Comment 2 OBSbugzilla Bot 2022-01-20 20:10:06 UTC
This is an autogenerated message for OBS integration:
This bug (1194924) was mentioned in
https://build.opensuse.org/request/show/947767 15.4 / virtualbox
Comment 3 OBSbugzilla Bot 2022-01-20 22:40:08 UTC
This is an autogenerated message for OBS integration:
This bug (1194924) was mentioned in
https://build.opensuse.org/request/show/947784 15.2 / virtualbox
https://build.opensuse.org/request/show/947785 15.3 / virtualbox
Comment 4 Swamp Workflow Management 2022-01-24 20:22:53 UTC
openSUSE-SU-2022:0020-1: An update that solves one vulnerability and has three fixes is now available.

Category: security (important)
Bug References: 1194065,1194126,1194128,1194924
CVE References: CVE-2022-21394
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    virtualbox-6.1.32-lp153.2.21.1, virtualbox-kmp-6.1.32-lp153.2.21.1
Comment 5 OBSbugzilla Bot 2022-05-06 02:40:08 UTC
This is an autogenerated message for OBS integration:
This bug (1194924) was mentioned in
https://build.opensuse.org/request/show/975277 15.2 / virtualbox