SB20230418181 - Multiple vulnerabilities in Oracle VM VirtualBox
Published: April 18, 2023 Updated: April 25, 2023
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 11 secuirty vulnerabilities.
1) Out-of-bounds read (CVE-ID: CVE-2023-21991)
The vulnerability allows a local user to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition within the handling of VGA MMIO. A local privileged user can trigger an out-of-bounds read error and read contents of memory on the system.
2) Improper input validation (CVE-ID: CVE-2023-21999)
The vulnerability allows a local authenticated user to read and manipulate data.
The vulnerability exists due to improper input validation within the Core component in Oracle VM VirtualBox. A local authenticated user can exploit this vulnerability to read and manipulate data.
3) Access of Uninitialized Pointer (CVE-ID: CVE-2023-21988)
The vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists due to access to uninitialized memory within the handling of GPA requests. A local privileged user can gain access to sensitive information.
4) Improper input validation (CVE-ID: CVE-2023-22001)
The vulnerability allows a local privileged user to read and manipulate data.
The vulnerability exists due to improper input validation within the Core component in Oracle VM VirtualBox. A local privileged user can exploit this vulnerability to read and manipulate data.
5) Improper input validation (CVE-ID: CVE-2023-22000)
The vulnerability allows a local privileged user to read and manipulate data.
The vulnerability exists due to improper input validation within the Core component in Oracle VM VirtualBox. A local privileged user can exploit this vulnerability to read and manipulate data.
6) Improper input validation (CVE-ID: CVE-2023-21998)
The vulnerability allows a local privileged user to read and manipulate data.
The vulnerability exists due to improper input validation within the Core component in Oracle VM VirtualBox. A local privileged user can exploit this vulnerability to read and manipulate data.
7) Access of Uninitialized Pointer (CVE-ID: CVE-2023-21989)
The vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists due to access to uninitialized memory within the OHCI USB controller. A local privileged user can gain unauthorized access to sensitive information.
8) Improper input validation (CVE-ID: CVE-2023-22002)
The vulnerability allows a local privileged user to gain access to sensitive information.
The vulnerability exists due to improper input validation within the Core component in Oracle VM VirtualBox. A local privileged user can exploit this vulnerability to gain access to sensitive information.
9) Cleartext transmission of sensitive information (CVE-ID: CVE-2022-42916)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to an error when parsing URL with IDN characters that get replaced to ASCII counterparts as part of the IDN conversion. A remote attacker can bypass curl's HSTS check and trick it into using unencrypted HTTP protocol.
10) Stack-based buffer overflow (CVE-ID: CVE-2023-21987)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error within the handling of TPM MMIO. A local privileged user can trigger a stack-based buffer overflow and execute arbitrary code in the context of the hypervisor.
11) Use-after-free (CVE-ID: CVE-2023-21990)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error within the OHCI USB controller. A local privileged user can trigger a use-after-free error and execute arbitrary code the context of the hypervisor.
Remediation
Install update from vendor's website.