Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

virtualbox: CVE-2023-21884 CVE-2023-21885 CVE-2023-21886 CVE-2023-21889 CVE-2023-21898 CVE-2023-21899

Related Vulnerabilities: CVE-2023-21884   CVE-2023-21885   CVE-2023-21886   CVE-2023-21889   CVE-2023-21898   CVE-2023-21899  

Source

Debian Bug report logs - #1029153
virtualbox: CVE-2023-21884 CVE-2023-21885 CVE-2023-21886 CVE-2023-21889 CVE-2023-21898 CVE-2023-21899

Package: src:virtualbox; Maintainer for src:virtualbox is Debian Virtualbox Team <team+debian-virtualbox@tracker.debian.org>;

Reported by: Moritz Mühlenhoff <jmm@inutil.org>

Date: Wed, 18 Jan 2023 16:30:07 UTC

Severity: grave

Tags: security, upstream

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Virtualbox Team <team+debian-virtualbox@tracker.debian.org>:
Bug#1029153; Package src:virtualbox. (Wed, 18 Jan 2023 16:30:09 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Mühlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Virtualbox Team <team+debian-virtualbox@tracker.debian.org>. (Wed, 18 Jan 2023 16:30:09 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>
To: submit@bugs.debian.org
Subject: virtualbox: CVE-2023-21884 CVE-2023-21885 CVE-2023-21886 CVE-2023-21889 CVE-2023-21898 CVE-2023-21899
Date: Wed, 18 Jan 2023 17:28:47 +0100
Source: virtualbox
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerabilities were published for virtualbox.

Fixed in 7.0.6

CVE-2023-21884[0]:
| Vulnerability in the Oracle VM VirtualBox product of Oracle
| Virtualization (component: Core). Supported versions that are affected
| are Prior to 6.1.42 and prior to 7.0.6. Easily exploitable
| vulnerability allows high privileged attacker with logon to the
| infrastructure where Oracle VM VirtualBox executes to compromise
| Oracle VM VirtualBox. Successful attacks of this vulnerability can
| result in unauthorized ability to cause a hang or frequently
| repeatable crash (complete DOS) of Oracle VM VirtualBox. CVSS 3.1 Base
| Score 4.4 (Availability impacts). CVSS Vector:
| (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).


CVE-2023-21885[1]:
| Vulnerability in the Oracle VM VirtualBox product of Oracle
| Virtualization (component: Core). Supported versions that are affected
| are Prior to 6.1.42 and prior to 7.0.6. Easily exploitable
| vulnerability allows low privileged attacker with logon to the
| infrastructure where Oracle VM VirtualBox executes to compromise
| Oracle VM VirtualBox. While the vulnerability is in Oracle VM
| VirtualBox, attacks may significantly impact additional products
| (scope change). Successful attacks of this vulnerability can result in
| unauthorized read access to a subset of Oracle VM VirtualBox
| accessible data. Note: Applies to Windows only. CVSS 3.1 Base Score
| 3.8 (Confidentiality impacts). CVSS Vector:
| (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N).


CVE-2023-21886[2]:
| Vulnerability in the Oracle VM VirtualBox product of Oracle
| Virtualization (component: Core). Supported versions that are affected
| are Prior to 6.1.42 and prior to 7.0.6. Difficult to exploit
| vulnerability allows unauthenticated attacker with network access via
| multiple protocols to compromise Oracle VM VirtualBox. Successful
| attacks of this vulnerability can result in takeover of Oracle VM
| VirtualBox. CVSS 3.1 Base Score 8.1 (Confidentiality, Integrity and
| Availability impacts). CVSS Vector:
| (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).


CVE-2023-21889[3]:
| Vulnerability in the Oracle VM VirtualBox product of Oracle
| Virtualization (component: Core). Supported versions that are affected
| are Prior to 6.1.42 and prior to 7.0.6. Easily exploitable
| vulnerability allows low privileged attacker with logon to the
| infrastructure where Oracle VM VirtualBox executes to compromise
| Oracle VM VirtualBox. While the vulnerability is in Oracle VM
| VirtualBox, attacks may significantly impact additional products
| (scope change). Successful attacks of this vulnerability can result in
| unauthorized read access to a subset of Oracle VM VirtualBox
| accessible data. CVSS 3.1 Base Score 3.8 (Confidentiality impacts).
| CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N).


CVE-2023-21898[4]:
| Vulnerability in the Oracle VM VirtualBox product of Oracle
| Virtualization (component: Core). Supported versions that are affected
| are Prior to 6.1.42 and prior to 7.0.6. Easily exploitable
| vulnerability allows low privileged attacker with logon to the
| infrastructure where Oracle VM VirtualBox executes to compromise
| Oracle VM VirtualBox. Successful attacks of this vulnerability can
| result in unauthorized ability to cause a hang or frequently
| repeatable crash (complete DOS) of Oracle VM VirtualBox. Note: Applies
| to VirtualBox VMs running Windows 7 and later. CVSS 3.1 Base Score 5.5
| (Availability impacts). CVSS Vector:
| (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).


CVE-2023-21899[5]:
| Vulnerability in the Oracle VM VirtualBox product of Oracle
| Virtualization (component: Core). Supported versions that are affected
| are Prior to 6.1.42 and prior to 7.0.6. Easily exploitable
| vulnerability allows low privileged attacker with logon to the
| infrastructure where Oracle VM VirtualBox executes to compromise
| Oracle VM VirtualBox. Successful attacks of this vulnerability can
| result in unauthorized ability to cause a hang or frequently
| repeatable crash (complete DOS) of Oracle VM VirtualBox. Note: Applies
| to VirtualBox VMs running Windows 7 and later. CVSS 3.1 Base Score 5.5
| (Availability impacts). CVSS Vector:
| (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-21884
    https://www.cve.org/CVERecord?id=CVE-2023-21884
[1] https://security-tracker.debian.org/tracker/CVE-2023-21885
    https://www.cve.org/CVERecord?id=CVE-2023-21885
[2] https://security-tracker.debian.org/tracker/CVE-2023-21886
    https://www.cve.org/CVERecord?id=CVE-2023-21886
[3] https://security-tracker.debian.org/tracker/CVE-2023-21889
    https://www.cve.org/CVERecord?id=CVE-2023-21889
[4] https://security-tracker.debian.org/tracker/CVE-2023-21898
    https://www.cve.org/CVERecord?id=CVE-2023-21898
[5] https://security-tracker.debian.org/tracker/CVE-2023-21899
    https://www.cve.org/CVERecord?id=CVE-2023-21899

Please adjust the affected versions in the BTS as needed.

Added tag(s) upstream. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Wed, 18 Jan 2023 16:36:11 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Jan 19 13:05:20 2023; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started