Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 877601 (CVE-2022-21620, CVE-2022-21621, CVE-2022-21627, CVE-2022-39421, CVE-2022-39422, CVE-2022-39423, CVE-2022-39424, CVE-2022-39425, CVE-2022-39426) - <app-emulation/virtualbox-6.1.40: multiple vulnerabilities
Summary: <app-emulation/virtualbox-6.1.40: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2022-21620, CVE-2022-21621, CVE-2022-21627, CVE-2022-39421, CVE-2022-39422, CVE-2022-39423, CVE-2022-39424, CVE-2022-39425, CVE-2022-39426
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://www.oracle.com/security-alert...
Whiteboard: B1 [glsa+]
Keywords:
Depends on: 878073
Blocks:
  Show dependency tree
 
Reported: 2022-10-19 00:31 UTC by John Helmert III
Modified: 2022-12-19 02:31 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-19 00:31:22 UTC 
CVE-2022-39424:

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 6.1.40. Difficult to exploit vulnerability allows unauthenticated attacker with network access via VRDP to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 8.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

CVE-2022-39425:

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 6.1.40. Difficult to exploit vulnerability allows unauthenticated attacker with network access via VRDP to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 8.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

CVE-2022-39426:

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 6.1.40. Difficult to exploit vulnerability allows unauthenticated attacker with network access via VRDP to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 8.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

CVE-2022-39422:

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 6.1.38. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H).

CVE-2022-21620:

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 6.1.40. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H).

CVE-2022-39421:

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 6.1.40. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. Note: This vulnerability applies to Windows systems only. CVSS 3.1 Base Score 7.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H).

CVE-2022-39423:

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 6.1.38. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data. CVSS 3.1 Base Score 6.0 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N).

CVE-2022-21621:

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 6.1.40. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle VM VirtualBox. CVSS 3.1 Base Score 6.0 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H).

CVE-2022-21627:

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 6.1.40. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle VM VirtualBox. CVSS 3.1 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

Please stabilize 6.1.40.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-27 16:40:05 UTC 
Please cleanup.
Comment 2 Larry the Git Cow gentoo-dev 2022-11-02 06:41:40 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f2247b6b3f3b1a8d17c323a3671edf043b501438

commit f2247b6b3f3b1a8d17c323a3671edf043b501438
Author:     Viorel Munteanu <ceamac.paragon@gmail.com>
AuthorDate: 2022-11-02 05:59:04 +0000
Commit:     Viorel Munteanu <ceamac@gentoo.org>
CommitDate: 2022-11-02 06:39:42 +0000

    app-emulation/virtualbox*: drop 6.1.36, 6.1.38
    
    Bug: https://bugs.gentoo.org/877601
    Signed-off-by: Viorel Munteanu <ceamac.paragon@gmail.com>
    Closes: https://github.com/gentoo/gentoo/pull/27894
    Signed-off-by: Viorel Munteanu <ceamac@gentoo.org>

 app-emulation/virtualbox-additions/Manifest        |   2 -
 .../virtualbox-additions-6.1.36.ebuild             |  30 -
 .../virtualbox-additions-6.1.38.ebuild             |  30 -
 app-emulation/virtualbox-extpack-oracle/Manifest   |   2 -
 .../virtualbox-extpack-oracle-6.1.36.ebuild        |  41 --
 .../virtualbox-extpack-oracle-6.1.38.ebuild        |  41 --
 app-emulation/virtualbox-guest-additions/Manifest  |   2 -
 .../virtualbox-guest-additions-6.1.36.ebuild       | 280 ---------
 .../virtualbox-guest-additions-6.1.38.ebuild       | 281 ---------
 .../files/virtualbox-modules-5.2.8-pax-const.patch |  44 --
 .../virtualbox-modules/files/virtualbox.conf       |   4 -
 .../virtualbox-modules-6.1.36.ebuild               |  65 --
 .../virtualbox-modules-6.1.38.ebuild               |  65 --
 app-emulation/virtualbox/Manifest                  |   2 -
 .../virtualbox/virtualbox-6.1.36-r2.ebuild         | 654 --------------------
 app-emulation/virtualbox/virtualbox-6.1.38.ebuild  | 663 ---------------------
 16 files changed, 2206 deletions(-)
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-02 20:16:47 UTC 
Thanks!
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-11-22 18:22:09 UTC 
GLSA request filed
Comment 5 Larry the Git Cow gentoo-dev 2022-12-19 02:05:23 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=d1d3408ae943ef415fee2767c91a2fb9a91f4c3b

commit d1d3408ae943ef415fee2767c91a2fb9a91f4c3b
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-12-19 02:01:20 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2022-12-19 02:04:28 +0000

    [ GLSA 202212-03 ] Oracle VirtualBox: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/877601
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202212-03.xml | 61 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 61 insertions(+)
Comment 6 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-12-19 02:31:33 UTC 
GLSA released, all done.