SB20230719124 - Multiple vulnerabilities in Oracle VM VirtualBox
Published: July 19, 2023 Updated: July 27, 2023
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 secuirty vulnerabilities.
1) Improper input validation (CVE-ID: CVE-2023-22016)
The vulnerability allows a local privileged user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the Core component in Oracle VM VirtualBox. A local privileged user can exploit this vulnerability to perform a denial of service (DoS) attack.
2) Improper input validation (CVE-ID: CVE-2023-22017)
The vulnerability allows a local authenticated user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the Core component in Oracle VM VirtualBox. A local authenticated user can exploit this vulnerability to perform a denial of service (DoS) attack.
3) Resource exhaustion (CVE-ID: CVE-2023-0464)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources when verifying X.509 certificate chains that include policy constraints. A remote attacker can create a specially crafted certificate to trigger resource exhaustion and perform a denial of service (DoS) attack.
4) Buffer overflow (CVE-ID: CVE-2023-22018)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation within the Core component in Oracle VM VirtualBox when handling USB request messages. A remote attacker can trigger memory corruption and execute arbitrary code on the target system in the context of the RDP service.
Remediation
Install update from vendor's website.