Subject: [ASA-202110-3] virtualbox: multiple issues Arch Linux Security Advisory ASA-202110-3 ========================================= Severity: High Date : 2021-10-21 CVE-ID : CVE-2021-2475 CVE-2021-35538 CVE-2021-35540 CVE-2021-35542 CVE-2021-35545 Package : virtualbox Type : multiple issues Remote : No Link : https://security.archlinux.org/AVG-2476 Summary ======= The package virtualbox before version 6.1.28-1 is vulnerable to multiple issues including sandbox escape, denial of service and information disclosure. Resolution ========== Upgrade to 6.1.28-1. # pacman -Syu "virtualbox>=6.1.28-1" The problems have been fixed upstream in version 6.1.28. Workaround ========== None. Description =========== - CVE-2021-2475 (denial of service) A security issue has been found in Oracle VM VirtualBox before version 6.1.28. An easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in the unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle VM VirtualBox. - CVE-2021-35538 (sandbox escape) A security issue has been found in Oracle VM VirtualBox before version 6.1.28. An easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. - CVE-2021-35540 (denial of service) A security issue has been found in Oracle VM VirtualBox before version 6.1.28. An easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in the unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle VM VirtualBox. - CVE-2021-35542 (denial of service) A security issue has been found in Oracle VM VirtualBox before version 6.1.28. An easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in the unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle VM VirtualBox. - CVE-2021-35545 (information disclosure) A security issue has been found in Oracle VM VirtualBox before version 6.1.28. An easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle VM VirtualBox and unauthorized read access to a subset of Oracle VM VirtualBox accessible data. Impact ====== A malicious virtual machine guest could escape its confinement to run arbitrary code on the host system, disclose sensitive information, or crash VirtualBox. References ========== https://www.oracle.com/security-alerts/cpuoct2021verbose.html#OVIR https://security.archlinux.org/CVE-2021-2475 https://security.archlinux.org/CVE-2021-35538 https://security.archlinux.org/CVE-2021-35540 https://security.archlinux.org/CVE-2021-35542 https://security.archlinux.org/CVE-2021-35545