SB20190716144 - Multiple vulnerabilities in Oracle VM VirtualBox

Main Vulnerability Database SB20190716144

SB20190716144 - Multiple vulnerabilities in Oracle VM VirtualBox

Published: July 16, 2019

Security Bulletin ID SB20190716144

Severity

Low

Patch available

YES

Number of vulnerabilities 14

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 14 secuirty vulnerabilities.

1) Improper input validation (CVE-ID: CVE-2019-2850)

The vulnerability allows a local authenticated user to perform service disruption.

The vulnerability exists due to improper input validation within the Core component in Oracle VM VirtualBox. A local authenticated user can exploit this vulnerability to perform service disruption.

2) Improper input validation (CVE-ID: CVE-2019-2876)

The vulnerability allows a local authenticated user to perform service disruption.

The vulnerability exists due to improper input validation within the Core component in Oracle VM VirtualBox. A local authenticated user can exploit this vulnerability to perform service disruption.

3) Improper input validation (CVE-ID: CVE-2019-2875)

The vulnerability allows a local authenticated user to perform service disruption.

The vulnerability exists due to improper input validation within the Core component in Oracle VM VirtualBox. A local authenticated user can exploit this vulnerability to perform service disruption.

4) Improper input validation (CVE-ID: CVE-2019-2874)

The vulnerability allows a local authenticated user to perform service disruption.

The vulnerability exists due to improper input validation within the Core component in Oracle VM VirtualBox. A local authenticated user can exploit this vulnerability to perform service disruption.

5) Improper input validation (CVE-ID: CVE-2019-2873)

The vulnerability allows a local authenticated user to perform service disruption.

The vulnerability exists due to improper input validation within the Core component in Oracle VM VirtualBox. A local authenticated user can exploit this vulnerability to perform service disruption.

6) Improper input validation (CVE-ID: CVE-2019-2877)

The vulnerability allows a local authenticated user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the Core component in Oracle VM VirtualBox. A local authenticated user can exploit this vulnerability to perform a denial of service (DoS) attack.

7) Improper input validation (CVE-ID: CVE-2019-2848)

The vulnerability allows a local authenticated user to a crash the entire system.

The vulnerability exists due to improper input validation within the Core component in Oracle VM VirtualBox. A local authenticated user can exploit this vulnerability to a crash the entire system.

8) Improper input validation (CVE-ID: CVE-2019-2863)

The vulnerability allows a local authenticated user to gain access to sensitive information.

The vulnerability exists due to improper input validation within the Core component in Oracle VM VirtualBox. A local authenticated user can exploit this vulnerability to gain access to sensitive information.

9) Use of a broken or risky cryptographic algorithm (CVE-ID: CVE-2019-1543)

The vulnerability allows a remote attacker to gain access to encrypted data.

The vulnerability exists due to incorrect implementation of the ChaCha20-Poly1305 cipher. For messages, encrypted with this cipher, a reused nonce value is used that is susceptible to serious confidentiality and integrity attacks. If an application changes the default nonce length to be longer than 12 bytes and then makes a change to the leading bytes of the nonce expecting the new value to be a new unique nonce then such an application could inadvertently encrypt messages with a reused nonce.

This vulnerability does not affect internal usage of the cipher within OpenSSL. However if an application uses this cipher directly and sets a non-default nonce length to be longer than 12 bytes, it may be vulnerable.

10) Improper input validation (CVE-ID: CVE-2019-2865)

The vulnerability allows a local privileged user to execute arbitrary code.

The vulnerability exists due to improper input validation within the Core component in Oracle VM VirtualBox. A local privileged user can exploit this vulnerability to execute arbitrary code.

11) Improper input validation (CVE-ID: CVE-2019-2864)

The vulnerability allows a local privileged user to execute arbitrary code.

The vulnerability exists due to improper input validation within the Core component in Oracle VM VirtualBox. A local privileged user can exploit this vulnerability to execute arbitrary code.

12) Improper input validation (CVE-ID: CVE-2019-2866)

The vulnerability allows a local privileged user to execute arbitrary code.

The vulnerability exists due to improper input validation within the Core component in Oracle VM VirtualBox. A local privileged user can exploit this vulnerability to execute arbitrary code.

13) Improper input validation (CVE-ID: CVE-2019-2867)

The vulnerability allows a local privileged user to execute arbitrary code.

The vulnerability exists due to improper input validation within the Core component in Oracle VM VirtualBox. A local privileged user can exploit this vulnerability to execute arbitrary code.

14) Improper input validation (CVE-ID: CVE-2019-2859)

The vulnerability allows a local authenticated user to execute arbitrary code.

The vulnerability exists due to improper input validation within the Core component in Oracle VM VirtualBox. A local authenticated user can exploit this vulnerability to execute arbitrary code.

Remediation

Install update from vendor's website.

References

https://www.oracle.com/security-alerts/cpujul2019.html?151