Bug 655186 (CVE-2018-2830, CVE-2018-2831, CVE-2018-2835, CVE-2018-2836, CVE-2018-2837, CVE-2018-2842, CVE-2018-2843, CVE-2018-2844, CVE-2018-2845, CVE-2018-2860)

Summary:	<app-emulation/virtualbox{,-bin}-5.1.36: Multiple vulnerabilities
Product:	Gentoo Security	Reporter:	GLSAMaker/CVETool Bot <glsamaker>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	masterzorag, polynomial-c, proxy-maint
Priority:	Normal	Flags:	stable-bot: sanity-check+
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	B2 [glsa+ cve cleanup]
Package list:	app-emulation/virtualbox-5.1.36 app-emulation/virtualbox-additions-5.1.36-r1 app-emulation/virtualbox-bin-5.1.36.122089 app-emulation/virtualbox-extpack-oracle-5.1.36.122089 app-emulation/virtualbox-guest-additions-5.1.36 app-emulation/virtualbox-modules-5.1.36 x11-drivers/xf86-video-virtualbox-5.1.36	Runtime testing required:	---

Description GLSAMaker/CVETool Bot gentoo-dev

2018-05-07 16:54:46 UTC

CVE-2018-2860 (https://nvd.nist.gov/vuln/detail/CVE-2018-2860):
Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization
(subcomponent: Core). Supported versions that are affected are Prior to
5.1.36 and Prior to 5.2.10. Easily exploitable vulnerability allows high
privileged attacker with logon to the infrastructure where Oracle VM
VirtualBox executes to compromise Oracle VM VirtualBox. While the
vulnerability is in Oracle VM VirtualBox, attacks may significantly impact
additional products. Successful attacks of this vulnerability can result in
takeover of Oracle VM VirtualBox. CVSS 3.0 Base Score 8.2 (Confidentiality,
Integrity and Availability impacts). CVSS Vector:
(CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).

CVE-2018-2845 (https://nvd.nist.gov/vuln/detail/CVE-2018-2845):
Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization
(subcomponent: Core). Supported versions that are affected are Prior to
5.1.36 and Prior to 5.2.10. Easily exploitable vulnerability allows low
privileged attacker with logon to the infrastructure where Oracle VM
VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks
of this vulnerability can result in unauthorized ability to cause a hang or
frequently repeatable crash (complete DOS) of Oracle VM VirtualBox as well
as unauthorized update, insert or delete access to some of Oracle VM
VirtualBox accessible data and unauthorized read access to a subset of
Oracle VM VirtualBox accessible data. CVSS 3.0 Base Score 6.6
(Confidentiality, Integrity and Availability impacts). CVSS Vector:
(CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H).

CVE-2018-2844 (https://nvd.nist.gov/vuln/detail/CVE-2018-2844):
Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization
(subcomponent: Core). Supported versions that are affected are Prior to
5.1.36 and Prior to 5.2.10. Easily exploitable vulnerability allows low
privileged attacker with logon to the infrastructure where Oracle VM
VirtualBox executes to compromise Oracle VM VirtualBox. While the
vulnerability is in Oracle VM VirtualBox, attacks may significantly impact
additional products. Successful attacks of this vulnerability can result in
takeover of Oracle VM VirtualBox. CVSS 3.0 Base Score 8.8 (Confidentiality,
Integrity and Availability impacts). CVSS Vector:
(CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

CVE-2018-2843 (https://nvd.nist.gov/vuln/detail/CVE-2018-2843):
Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization
(subcomponent: Core). Supported versions that are affected are Prior to
5.1.36 and Prior to 5.2.10. Easily exploitable vulnerability allows low
privileged attacker with logon to the infrastructure where Oracle VM
VirtualBox executes to compromise Oracle VM VirtualBox. While the
vulnerability is in Oracle VM VirtualBox, attacks may significantly impact
additional products. Successful attacks of this vulnerability can result in
takeover of Oracle VM VirtualBox. CVSS 3.0 Base Score 8.8 (Confidentiality,
Integrity and Availability impacts). CVSS Vector:
(CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

CVE-2018-2842 (https://nvd.nist.gov/vuln/detail/CVE-2018-2842):
Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization
(subcomponent: Core). Supported versions that are affected are Prior to
5.1.36 and Prior to 5.2.10. Easily exploitable vulnerability allows low
privileged attacker with logon to the infrastructure where Oracle VM
VirtualBox executes to compromise Oracle VM VirtualBox. While the
vulnerability is in Oracle VM VirtualBox, attacks may significantly impact
additional products. Successful attacks of this vulnerability can result in
takeover of Oracle VM VirtualBox. CVSS 3.0 Base Score 8.8 (Confidentiality,
Integrity and Availability impacts). CVSS Vector:
(CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

CVE-2018-2837 (https://nvd.nist.gov/vuln/detail/CVE-2018-2837):
Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization
(subcomponent: Core). Supported versions that are affected are Prior to
5.1.36 and Prior to 5.2.10. Easily exploitable vulnerability allows low
privileged attacker with logon to the infrastructure where Oracle VM
VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks
require human interaction from a person other than the attacker and while
the vulnerability is in Oracle VM VirtualBox, attacks may significantly
impact additional products. Successful attacks of this vulnerability can
result in takeover of Oracle VM VirtualBox. CVSS 3.0 Base Score 8.2
(Confidentiality, Integrity and Availability impacts). CVSS Vector:
(CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H).

CVE-2018-2836 (https://nvd.nist.gov/vuln/detail/CVE-2018-2836):
Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization
(subcomponent: Core). Supported versions that are affected are Prior to
5.1.36 and Prior to 5.2.10. Easily exploitable vulnerability allows low
privileged attacker with logon to the infrastructure where Oracle VM
VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks
require human interaction from a person other than the attacker and while
the vulnerability is in Oracle VM VirtualBox, attacks may significantly
impact additional products. Successful attacks of this vulnerability can
result in takeover of Oracle VM VirtualBox. CVSS 3.0 Base Score 8.2
(Confidentiality, Integrity and Availability impacts). CVSS Vector:
(CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H).

CVE-2018-2835 (https://nvd.nist.gov/vuln/detail/CVE-2018-2835):
Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization
(subcomponent: Core). Supported versions that are affected are Prior to
5.1.36 and Prior to 5.2.10. Easily exploitable vulnerability allows low
privileged attacker with logon to the infrastructure where Oracle VM
VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks
require human interaction from a person other than the attacker and while
the vulnerability is in Oracle VM VirtualBox, attacks may significantly
impact additional products. Successful attacks of this vulnerability can
result in takeover of Oracle VM VirtualBox. CVSS 3.0 Base Score 8.2
(Confidentiality, Integrity and Availability impacts). CVSS Vector:
(CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H).

CVE-2018-2831 (https://nvd.nist.gov/vuln/detail/CVE-2018-2831):
Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization
(subcomponent: Core). Supported versions that are affected are Prior to
5.1.36 and Prior to 5.2.10. Easily exploitable vulnerability allows low
privileged attacker with logon to the infrastructure where Oracle VM
VirtualBox executes to compromise Oracle VM VirtualBox. While the
vulnerability is in Oracle VM VirtualBox, attacks may significantly impact
additional products. Successful attacks of this vulnerability can result in
unauthorized read access to a subset of Oracle VM VirtualBox accessible
data. CVSS 3.0 Base Score 3.8 (Confidentiality impacts). CVSS Vector:
(CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N).

CVE-2018-2830 (https://nvd.nist.gov/vuln/detail/CVE-2018-2830):
Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization
(subcomponent: Core). Supported versions that are affected are Prior to
5.1.36 and Prior to 5.2.10. Easily exploitable vulnerability allows low
privileged attacker with logon to the infrastructure where Oracle VM
VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks
require human interaction from a person other than the attacker and while
the vulnerability is in Oracle VM VirtualBox, attacks may significantly
impact additional products. Successful attacks of this vulnerability can
result in takeover of Oracle VM VirtualBox. CVSS 3.0 Base Score 8.2
(Confidentiality, Integrity and Availability impacts). CVSS Vector:
(CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H).

@Maintainers fixed versions already in the tree. Please call for stabilization when ready.

Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev

2018-05-07 23:55:46 UTC

x86 stable

Comment 2 Agostino Sarubbo gentoo-dev

2018-05-08 15:15:49 UTC

amd64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.

Comment 3 Aaron Bauman (RETIRED) gentoo-dev

2018-05-14 23:15:10 UTC

GLSA request filed

Comment 4 GLSAMaker/CVETool Bot gentoo-dev

2018-05-22 22:33:06 UTC

This issue was resolved and addressed in
 GLSA 201805-08 at https://security.gentoo.org/glsa/201805-08
by GLSA coordinator Aaron Bauman (b-man).