Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 910579 (CVE-2023-22016, CVE-2023-22017, CVE-2023-22018)

Summary: <app-emulation/virtualbox-{6.1.46,7.0.10}: multiple vulnerabilities
Product: Gentoo Security Reporter: filip ambroz <filip.ambroz>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: ceamac
Priority: Normal Keywords: PullRequest
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.oracle.com/security-alerts/cpujul2023.html#AppendixOVIR
See Also: https://github.com/gentoo/gentoo/pull/31953
Whiteboard: B3 [noglsa]
Package list:
Runtime testing required: ---
Bug Depends on: 911671, 911672    
Bug Blocks:    

Description filip ambroz 2023-07-20 08:16:49 UTC 
CVE-2023-22016:

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 6.1.46 and Prior to 7.0.10. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle VM VirtualBox. CVSS 3.1 Base Score 4.2 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:H).

CVE-2023-22018:

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 6.1.46 and Prior to 7.0.10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via RDP to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 8.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).


Fixed in v7.0.10 , please bump.
Comment 1 Larry the Git Cow gentoo-dev 2023-07-20 09:40:35 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cc1042f8f7b3e79d61a5080800b8dfcbb2c4c54a

commit cc1042f8f7b3e79d61a5080800b8dfcbb2c4c54a
Author:     Viorel Munteanu <ceamac@gentoo.org>
AuthorDate: 2023-07-19 07:35:21 +0000
Commit:     Viorel Munteanu <ceamac@gentoo.org>
CommitDate: 2023-07-20 09:36:35 +0000

    app-emulation/virtualbox: add 7.0.10
    
    Bug: https://bugs.gentoo.org/910579
    Closes: https://bugs.gentoo.org/910509
    Signed-off-by: Viorel Munteanu <ceamac@gentoo.org>

 app-emulation/virtualbox/Manifest                  |   2 +
 .../files/virtualbox-7.0.10-python.patch           |  18 +
 app-emulation/virtualbox/virtualbox-7.0.10.ebuild  | 735 +++++++++++++++++++++
 3 files changed, 755 insertions(+)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-08-02 05:40:48 UTC 
Thank you! Please stabilize when ready.
Comment 3 Viorel Munteanu gentoo-dev 2023-08-16 12:16:29 UTC 
Stable and old versions removed.
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-11-25 16:16:27 UTC 
CVE-2023-22017 (https://www.oracle.com/security-alerts/cpujul2023.html):

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core).  Supported versions that are affected are Prior to 6.1.46 and  Prior to 7.0.10. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox.  Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle VM VirtualBox. Note: This vulnerability applies to Windows VMs only. CVSS 3.1 Base Score 5.5 (Availability impacts).  CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).