Multiple vulnerabilities in Oracle VM VirtualBox

Description

Multiple serious vulnerabilities have been found in Oracle VM VirtualBox. Malicious users can exploit these vulnerabilities to to cause a denial of service, read and write accesible data and possibly to obtain sensitive information.

Below is a complete list of vulnerabilities:

1. Multiple unspecified vulnerabilities in subcomponent Core of Oracle Virtualization component can be exploited remotely possibly to obtain sensitive information;
2. An unspecified vulnerability in subcomponent Core of Oracle Virtualization component can be exploited remotely to cause a denial of service (it can be either hang or frequently repeatable crash), write to some of Oracle VM VirtualBox accessible data;
3. An unspecified vulnerability in subcomponent Core of Oracle Virtualization component can be exploited remotely to cause a partial denial of service, read a subset of Oracle VM VirtualBox accessible data;
4. Multiple unspecified vulnerabilities in subcomponent Core of Oracle Virtualization component can be exploited remotely to cause a denial of service (it can be either hang or frequently repeatable crash), write to some of Oracle VM VirtualBox accessible data and read a subset of Oracle VM VirtualBox accessible data;
5. An unspecified vulnerability in subcomponent Core of Oracle Virtualization component can be exploited remotely to cause a denial of service (it can be either hang or frequently repeatable crash), write to some of Oracle VM VirtualBox accessible data;
6. An unspecified vulnerability in subcomponent Core of Oracle Virtualization component can be exploited remotely to cause a partial denial of service, write to some of Oracle VM VirtualBox accessible data;

---

Technical details

Vulnerabilities (1)-(3) can be exploited by a low privileged user with logon to the infrastructure where OracleVM VirtualBox is executed.

Vulnerabilities (4)-(6) can be exploited by a high privileged user with logon to the infrastructure where OracleVM VirtualBox is executed.

NB: These vulnerabilities do not have any public CVSS rating so rating can be changed by the time.

NB: At this moment Oracle has just reserved CVE numbers for these vulnerabilities. Information can be changed soon.

Original advisories

• Oracle Critical Patch Update Advisory

Exploitation

Public exploits exist for this vulnerability.

Related products

• Oracle-VirtualBox

CVE list

• CVE-2017-10204
  warning
• CVE-2017-10129
  warning
• CVE-2017-10210
  warning
• CVE-2017-10233
  warning
• CVE-2017-10236
  warning
• CVE-2017-10237
  warning
• CVE-2017-10238
  warning
• CVE-2017-10239
  warning
• CVE-2017-10240
  warning
• CVE-2017-10241
  warning
• CVE-2017-10242
  warning
• CVE-2017-10235
  warning
• CVE-2017-10209
  warning
• CVE-2017-10187
  warning

Read more

Find out the statistics of the vulnerabilities spreading in your region on statistics.securelist.com