ArchLinux: 202104-9: virtualbox: multiple issues
Summary
- CVE-2021-2145 (arbitrary code execution)
Vulnerability in the Oracle VM VirtualBox product of Oracle
Virtualization (component: Core). The supported version that is
affected is Prior to 6.1.20. Difficult to exploit vulnerability allows
high privileged attacker with logon to the infrastructure where Oracle
VM VirtualBox executes to compromise Oracle VM VirtualBox. While the
vulnerability is in Oracle VM VirtualBox, attacks may significantly
impact additional products. Successful attacks of this vulnerability
can result in takeover of Oracle VM VirtualBox.
- CVE-2021-2250 (arbitrary code execution)
Vulnerability in the Oracle VM VirtualBox product of Oracle
Virtualization (component: Core). The supported version that is
affected is Prior to 6.1.20. Easily exploitable vulnerability allows
high privileged attacker with logon to the infrastructure where Oracle
VM VirtualBox executes to compromise Oracle VM VirtualBox. While the
vulnerability is in Oracle VM VirtualBox, attacks may significantly
impact additional products. Successful attacks of this vulnerability
can result in takeover of Oracle VM VirtualBox.
- CVE-2021-2266 (information disclosure)
Vulnerability in the Oracle VM VirtualBox product of Oracle
Virtualization (component: Core). The supported version that is
affected is Prior to 6.1.20. Easily exploitable vulnerability allows
high privileged attacker with logon to the infrastructure where Oracle
VM VirtualBox executes to compromise Oracle VM VirtualBox. While the
vulnerability is in Oracle VM VirtualBox, attacks may significantly
impact additional products. Successful attacks of this vulnerability
can result in unauthorized access to critical data or complete access
to all Oracle VM VirtualBox accessible data.
- CVE-2021-2279 (arbitrary code execution)
Vulnerability in the Oracle VM VirtualBox product of Oracle
Virtualization (component: Core). The supported version that is
affected is Prior to 6.1.20. Difficult to exploit vulnerability allows
unauthenticated attacker with network access via RDP to compromise
Oracle VM VirtualBox. Successful attacks of this vulnerability can
result in takeover of Oracle VM VirtualBox.
- CVE-2021-2280 (information disclosure)
Vulnerability in the Oracle VM VirtualBox product of Oracle
Virtualization (component: Core). The supported version that is
affected is Prior to 6.1.20. Easily exploitable vulnerability allows
unauthenticated attacker with logon to the infrastructure where Oracle
VM VirtualBox executes to compromise Oracle VM VirtualBox. While the
vulnerability is in Oracle VM VirtualBox, attacks may significantly
impact additional products. Successful attacks of this vulnerability
can result in unauthorized access to critical data or complete access
to all Oracle VM VirtualBox accessible data.
- CVE-2021-2281 (arbitrary filesystem access)
Vulnerability in the Oracle VM VirtualBox product of Oracle
Virtualization (component: Core). The supported version that is
affected is Prior to 6.1.20. Easily exploitable vulnerability allows
unauthenticated attacker with logon to the infrastructure where Oracle
VM VirtualBox executes to compromise Oracle VM VirtualBox. While the
vulnerability is in Oracle VM VirtualBox, attacks may significantly
impact additional products. Successful attacks of this vulnerability
can result in unauthorized creation, deletion or modification access to
critical data or all Oracle VM VirtualBox accessible data.
- CVE-2021-2282 (information disclosure)
Vulnerability in the Oracle VM VirtualBox product of Oracle
Virtualization (component: Core). The supported version that is
affected is Prior to 6.1.20. Easily exploitable vulnerability allows
unauthenticated attacker with logon to the infrastructure where Oracle
VM VirtualBox executes to compromise Oracle VM VirtualBox. While the
vulnerability is in Oracle VM VirtualBox, attacks may significantly
impact additional products. Successful attacks of this vulnerability
can result in unauthorized access to critical data or complete access
to all Oracle VM VirtualBox accessible data.
- CVE-2021-2283 (information disclosure)
Vulnerability in the Oracle VM VirtualBox product of Oracle
Virtualization (component: Core). The supported version that is
affected is Prior to 6.1.20. Easily exploitable vulnerability allows
unauthenticated attacker with logon to the infrastructure where Oracle
VM VirtualBox executes to compromise Oracle VM VirtualBox. While the
vulnerability is in Oracle VM VirtualBox, attacks may significantly
impact additional products. Successful attacks of this vulnerability
can result in unauthorized access to critical data or complete access
to all Oracle VM VirtualBox accessible data.
- CVE-2021-2284 (arbitrary filesystem access)
Vulnerability in the Oracle VM VirtualBox product of Oracle
Virtualization (component: Core). The supported version that is
affected is Prior to 6.1.20. Easily exploitable vulnerability allows
unauthenticated attacker with logon to the infrastructure where Oracle
VM VirtualBox executes to compromise Oracle VM VirtualBox. While the
vulnerability is in Oracle VM VirtualBox, attacks may significantly
impact additional products. Successful attacks of this vulnerability
can result in unauthorized creation, deletion or modification access to
critical data or all Oracle VM VirtualBox accessible data.
- CVE-2021-2285 (information disclosure)
Vulnerability in the Oracle VM VirtualBox product of Oracle
Virtualization (component: Core). The supported version that is
affected is Prior to 6.1.20. Easily exploitable vulnerability allows
unauthenticated attacker with logon to the infrastructure where Oracle
VM VirtualBox executes to compromise Oracle VM VirtualBox. While the
vulnerability is in Oracle VM VirtualBox, attacks may significantly
impact additional products. Successful attacks of this vulnerability
can result in unauthorized access to critical data or complete access
to all Oracle VM VirtualBox accessible data.
- CVE-2021-2286 (arbitrary filesystem access)
Vulnerability in the Oracle VM VirtualBox product of Oracle
Virtualization (component: Core). The supported version that is
affected is Prior to 6.1.20. Easily exploitable vulnerability allows
unauthenticated attacker with logon to the infrastructure where Oracle
VM VirtualBox executes to compromise Oracle VM VirtualBox. While the
vulnerability is in Oracle VM VirtualBox, attacks may significantly
impact additional products. Successful attacks of this vulnerability
can result in unauthorized creation, deletion or modification access to
critical data or all Oracle VM VirtualBox accessible data.
- CVE-2021-2287 (information disclosure)
Vulnerability in the Oracle VM VirtualBox product of Oracle
Virtualization (component: Core). The supported version that is
affected is Prior to 6.1.20. Easily exploitable vulnerability allows
unauthenticated attacker with logon to the infrastructure where Oracle
VM VirtualBox executes to compromise Oracle VM VirtualBox. While the
vulnerability is in Oracle VM VirtualBox, attacks may significantly
impact additional products. Successful attacks of this vulnerability
can result in unauthorized access to critical data or complete access
to all Oracle VM VirtualBox accessible data.
- CVE-2021-2291 (information disclosure)
Vulnerability in the Oracle VM VirtualBox product of Oracle
Virtualization (component: Core). The supported version that is
affected is Prior to 6.1.20. Difficult to exploit vulnerability allows
low privileged attacker with logon to the infrastructure where Oracle
VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful
attacks of this vulnerability can result in unauthorized access to
critical data or complete access to all Oracle VM VirtualBox accessible
data.
- CVE-2021-2296 (information disclosure)
Vulnerability in the Oracle VM VirtualBox product of Oracle
Virtualization (component: Core). The supported version that is
affected is Prior to 6.1.20. Difficult to exploit vulnerability allows
high privileged attacker with logon to the infrastructure where Oracle
VM VirtualBox executes to compromise Oracle VM VirtualBox. While the
vulnerability is in Oracle VM VirtualBox, attacks may significantly
impact additional products. Successful attacks of this vulnerability
can result in unauthorized access to critical data or complete access
to all Oracle VM VirtualBox accessible data.
- CVE-2021-2297 (information disclosure)
Vulnerability in the Oracle VM VirtualBox product of Oracle
Virtualization (component: Core). The supported version that is
affected is Prior to 6.1.20. Difficult to exploit vulnerability allows
high privileged attacker with logon to the infrastructure where Oracle
VM VirtualBox executes to compromise Oracle VM VirtualBox. While the
vulnerability is in Oracle VM VirtualBox, attacks may significantly
impact additional products. Successful attacks of this vulnerability
can result in unauthorized access to critical data or complete access
to all Oracle VM VirtualBox accessible data.
- CVE-2021-2306 (information disclosure)
Vulnerability in the Oracle VM VirtualBox product of Oracle
Virtualization (component: Core). The supported version that is
affected is Prior to 6.1.20. Easily exploitable vulnerability allows
high privileged attacker with logon to the infrastructure where Oracle
VM VirtualBox executes to compromise Oracle VM VirtualBox. While the
vulnerability is in Oracle VM VirtualBox, attacks may significantly
impact additional products. Successful attacks of this vulnerability
can result in unauthorized access to critical data or complete access
to all Oracle VM VirtualBox accessible data.
- CVE-2021-2309 (arbitrary code execution)
Vulnerability in the Oracle VM VirtualBox product of Oracle
Virtualization (component: Core). The supported version that is
affected is Prior to 6.1.20. Difficult to exploit vulnerability allows
high privileged attacker with logon to the infrastructure where Oracle
VM VirtualBox executes to compromise Oracle VM VirtualBox. While the
vulnerability is in Oracle VM VirtualBox, attacks may significantly
impact additional products. Successful attacks of this vulnerability
can result in takeover of Oracle VM VirtualBox.
- CVE-2021-2310 (arbitrary code execution)
Vulnerability in the Oracle VM VirtualBox product of Oracle
Virtualization (component: Core). The supported version that is
affected is Prior to 6.1.20. Difficult to exploit vulnerability allows
high privileged attacker with logon to the infrastructure where Oracle
VM VirtualBox executes to compromise Oracle VM VirtualBox. While the
vulnerability is in Oracle VM VirtualBox, attacks may significantly
impact additional products. Successful attacks of this vulnerability
can result in takeover of Oracle VM VirtualBox.
- CVE-2021-2321 (information disclosure)
Vulnerability in the Oracle VM VirtualBox product of Oracle
Virtualization (component: Core). The supported version that is
affected is Prior to 6.1.20. Easily exploitable vulnerability allows
high privileged attacker with logon to the infrastructure where Oracle
VM VirtualBox executes to compromise Oracle VM VirtualBox. While the
vulnerability is in Oracle VM VirtualBox, attacks may significantly
impact additional products. Successful attacks of this vulnerability
can result in unauthorized access to critical data or complete access
to all Oracle VM VirtualBox accessible data.
Resolution
Upgrade to 6.1.20-1.
# pacman -Syu "virtualbox>=6.1.20-1"
The problems have been fixed upstream in version 6.1.20.
References
https://www.oracle.com/security-alerts/cpuapr2021verbose.html#OVIR https://security.archlinux.org/CVE-2021-2145 https://security.archlinux.org/CVE-2021-2250 https://security.archlinux.org/CVE-2021-2266 https://security.archlinux.org/CVE-2021-2279 https://security.archlinux.org/CVE-2021-2280 https://security.archlinux.org/CVE-2021-2281 https://security.archlinux.org/CVE-2021-2282 https://security.archlinux.org/CVE-2021-2283 https://security.archlinux.org/CVE-2021-2284 https://security.archlinux.org/CVE-2021-2285 https://security.archlinux.org/CVE-2021-2286 https://security.archlinux.org/CVE-2021-2287 https://security.archlinux.org/CVE-2021-2291 https://security.archlinux.org/CVE-2021-2296 https://security.archlinux.org/CVE-2021-2297 https://security.archlinux.org/CVE-2021-2306 https://security.archlinux.org/CVE-2021-2309 https://security.archlinux.org/CVE-2021-2310 https://security.archlinux.org/CVE-2021-2321
Workaround
None.