766348 – (CVE-2021-2073, CVE-2021-2074, CVE-2021-2086, CVE-2021-2111, CVE-2021-2112, CVE-2021-2119, CVE-2021-2120, CVE-2021-2121, CVE-2021-2123, CVE-2021-2124, CVE-2021-2125, CVE-2021-2126, CVE-2021-2127, CVE-2021-2128, CVE-2021-2129, CVE-2021-2130, CVE-2021-2131) <app-emulation/virtualbox-6.1.18: multiple vulnerabilities (CVE-2021-{2073,2074,2086,2111,2112,2119,2120,2121,2123,2124,2125,2126,2127,2128,2129,2130,2131})

Bug 766348 (CVE-2021-2073, CVE-2021-2074, CVE-2021-2086, CVE-2021-2111, CVE-2021-2112, CVE-2021-2119, CVE-2021-2120, CVE-2021-2121, CVE-2021-2123, CVE-2021-2124, CVE-2021-2125, CVE-2021-2126, CVE-2021-2127, CVE-2021-2128, CVE-2021-2129, CVE-2021-2130, CVE-2021-2131) - <app-emulation/virtualbox-6.1.18: multiple vulnerabilities (CVE-2021-{2073,2074,2086,2111,2112,2119,2120,2121,2123,2124,2125,2126,2127,2128,2129,2130,2131})

Summary: <app-emulation/virtualbox-6.1.18: multiple vulnerabilities (CVE-2021-{2073,20...

Status:	RESOLVED FIXED

Alias:	CVE-2021-2073, CVE-2021-2074, CVE-2021-2086, CVE-2021-2111, CVE-2021-2112, CVE-2021-2119, CVE-2021-2120, CVE-2021-2121, CVE-2021-2123, CVE-2021-2124, CVE-2021-2125, CVE-2021-2126, CVE-2021-2127, CVE-2021-2128, CVE-2021-2129, CVE-2021-2130, CVE-2021-2131

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal major
Assignee:	Gentoo Security

URL:	https://www.oracle.com/security-alert...
Whiteboard:	B1 [glsa+ cve]
Keywords:

Depends on:
Blocks:

Reported:	2021-01-21 05:12 UTC by John Helmert III
Modified:	2021-07-25 00:57 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2021-01-21 05:12:28 UTC

Numerous vulnerabilities were published with Oracle's January
2021 CPU, the worst of which appears to be CVE-2021-2074:

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.18. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 8.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).


Please stabilize 6.1.18.

Comment 1 Sam James archtester

2021-01-22 01:48:57 UTC

amd64 done

Comment 2 Sam James archtester

2021-01-22 01:49:42 UTC

x86 done

all arches done

Comment 3 John Helmert III archtester

2021-01-22 01:54:37 UTC

Please cleanup.

Comment 4 GLSAMaker/CVETool Bot gentoo-dev

2021-01-22 16:15:41 UTC

This issue was resolved and addressed in
 GLSA 202101-15 at https://security.gentoo.org/glsa/202101-15
by GLSA coordinator Aaron Bauman (b-man).

Comment 5 Aaron Bauman (RETIRED) gentoo-dev

2021-01-22 16:15:59 UTC

re-opened for cleanup