Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 820425 (CVE-2021-2475, CVE-2021-35538, CVE-2021-35540, CVE-2021-35542, CVE-2021-35545) - <app-emulation/virtualbox-6.1.28: multiple vulnerabilities (CVE-2021-{2475,35538,35540,35542,35545})
Summary: <app-emulation/virtualbox-6.1.28: multiple vulnerabilities (CVE-2021-{2475,35...
Status: RESOLVED FIXED
Alias: CVE-2021-2475, CVE-2021-35538, CVE-2021-35540, CVE-2021-35542, CVE-2021-35545
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://www.oracle.com/security-alert...
Whiteboard: B4 [glsa+]
Keywords:
Depends on: 828476
Blocks:
  Show dependency tree
 
Reported: 2021-10-27 01:38 UTC by John Helmert III
Modified: 2022-08-31 23:38 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-10-27 01:38:45 UTC 
CVE-2021-2475:

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.28. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle VM VirtualBox. CVSS 3.1 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVE-2021-35538:

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.28. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. Note: This vulnerability does not apply to Windows systems. CVSS 3.1 Base Score 7.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

CVE-2021-35540:

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.28. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle VM VirtualBox. CVSS 3.1 Base Score 5.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

CVE-2021-35542:

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.28. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle VM VirtualBox. CVSS 3.1 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

CVE-2021-35545:

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.28. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle VM VirtualBox and unauthorized read access to a subset of Oracle VM VirtualBox accessible data. CVSS 3.1 Base Score 6.7 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:H).


Please stabilize 6.1.28.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-12-08 06:18:01 UTC 
Please cleanup.
Comment 2 Larry the Git Cow gentoo-dev 2022-08-31 23:37:15 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=0896f6d0ef51a24e9d845d2ac349c6bf98fadb0b

commit 0896f6d0ef51a24e9d845d2ac349c6bf98fadb0b
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-08-31 23:36:15 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-08-31 23:37:06 +0000

    [ GLSA 202208-36 ] Oracle VirtualBox: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/785445
    Bug: https://bugs.gentoo.org/803134
    Bug: https://bugs.gentoo.org/820425
    Bug: https://bugs.gentoo.org/831440
    Bug: https://bugs.gentoo.org/839990
    Bug: https://bugs.gentoo.org/859391
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Sam James <sam@gentoo.org>

 glsa-202208-36.xml | 98 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 98 insertions(+)