Source: virtualbox X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security
Hi, The following vulnerabilities were published for virtualbox. Fixed in 7.0.6 CVE-2023-21884[0]: | Vulnerability in the Oracle VM VirtualBox product of Oracle | Virtualization (component: Core). Supported versions that are affected | are Prior to 6.1.42 and prior to 7.0.6. Easily exploitable | vulnerability allows high privileged attacker with logon to the | infrastructure where Oracle VM VirtualBox executes to compromise | Oracle VM VirtualBox. Successful attacks of this vulnerability can | result in unauthorized ability to cause a hang or frequently | repeatable crash (complete DOS) of Oracle VM VirtualBox. CVSS 3.1 Base | Score 4.4 (Availability impacts). CVSS Vector: | (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2023-21885[1]: | Vulnerability in the Oracle VM VirtualBox product of Oracle | Virtualization (component: Core). Supported versions that are affected | are Prior to 6.1.42 and prior to 7.0.6. Easily exploitable | vulnerability allows low privileged attacker with logon to the | infrastructure where Oracle VM VirtualBox executes to compromise | Oracle VM VirtualBox. While the vulnerability is in Oracle VM | VirtualBox, attacks may significantly impact additional products | (scope change). Successful attacks of this vulnerability can result in | unauthorized read access to a subset of Oracle VM VirtualBox | accessible data. Note: Applies to Windows only. CVSS 3.1 Base Score | 3.8 (Confidentiality impacts). CVSS Vector: | (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N). CVE-2023-21886[2]: | Vulnerability in the Oracle VM VirtualBox product of Oracle | Virtualization (component: Core). Supported versions that are affected | are Prior to 6.1.42 and prior to 7.0.6. Difficult to exploit | vulnerability allows unauthenticated attacker with network access via | multiple protocols to compromise Oracle VM VirtualBox. Successful | attacks of this vulnerability can result in takeover of Oracle VM | VirtualBox. CVSS 3.1 Base Score 8.1 (Confidentiality, Integrity and | Availability impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H). CVE-2023-21889[3]: | Vulnerability in the Oracle VM VirtualBox product of Oracle | Virtualization (component: Core). Supported versions that are affected | are Prior to 6.1.42 and prior to 7.0.6. Easily exploitable | vulnerability allows low privileged attacker with logon to the | infrastructure where Oracle VM VirtualBox executes to compromise | Oracle VM VirtualBox. While the vulnerability is in Oracle VM | VirtualBox, attacks may significantly impact additional products | (scope change). Successful attacks of this vulnerability can result in | unauthorized read access to a subset of Oracle VM VirtualBox | accessible data. CVSS 3.1 Base Score 3.8 (Confidentiality impacts). | CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N). CVE-2023-21898[4]: | Vulnerability in the Oracle VM VirtualBox product of Oracle | Virtualization (component: Core). Supported versions that are affected | are Prior to 6.1.42 and prior to 7.0.6. Easily exploitable | vulnerability allows low privileged attacker with logon to the | infrastructure where Oracle VM VirtualBox executes to compromise | Oracle VM VirtualBox. Successful attacks of this vulnerability can | result in unauthorized ability to cause a hang or frequently | repeatable crash (complete DOS) of Oracle VM VirtualBox. Note: Applies | to VirtualBox VMs running Windows 7 and later. CVSS 3.1 Base Score 5.5 | (Availability impacts). CVSS Vector: | (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). CVE-2023-21899[5]: | Vulnerability in the Oracle VM VirtualBox product of Oracle | Virtualization (component: Core). Supported versions that are affected | are Prior to 6.1.42 and prior to 7.0.6. Easily exploitable | vulnerability allows low privileged attacker with logon to the | infrastructure where Oracle VM VirtualBox executes to compromise | Oracle VM VirtualBox. Successful attacks of this vulnerability can | result in unauthorized ability to cause a hang or frequently | repeatable crash (complete DOS) of Oracle VM VirtualBox. Note: Applies | to VirtualBox VMs running Windows 7 and later. CVSS 3.1 Base Score 5.5 | (Availability impacts). CVSS Vector: | (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-21884 https://www.cve.org/CVERecord?id=CVE-2023-21884 [1] https://security-tracker.debian.org/tracker/CVE-2023-21885 https://www.cve.org/CVERecord?id=CVE-2023-21885 [2] https://security-tracker.debian.org/tracker/CVE-2023-21886 https://www.cve.org/CVERecord?id=CVE-2023-21886 [3] https://security-tracker.debian.org/tracker/CVE-2023-21889 https://www.cve.org/CVERecord?id=CVE-2023-21889 [4] https://security-tracker.debian.org/tracker/CVE-2023-21898 https://www.cve.org/CVERecord?id=CVE-2023-21898 [5] https://security-tracker.debian.org/tracker/CVE-2023-21899 https://www.cve.org/CVERecord?id=CVE-2023-21899 Please adjust the affected versions in the BTS as needed.
