{"id":"MGASA-2018-0101","summary":"Updated virtualbox packages fix security vulnerabilities","details":"Oracle VM VirtualBox incorporate the OpenSSL software libraries to provide\ncryptographic capabilities. OpenSSL versions through 1.0.2m and 1.1.0g are\nsusceptible to a vulnerability that could allow an attacker to recover\nencryption keys and access protected communications (CVE-2017-3736).\n\nSystems with microprocessors utilizing speculative execution and indirect\nbranch prediction may allow unauthorized disclosure of information to an\nattacker with local user access via a side-channel analysis (CVE-2017-5715).\n\nOracle VM VirtualBox prior to 5.2.6 has easily exploitable vulnerabilities\nthat allows high privileged attacker with logon to the infrastructure where\nVirtualBox executes to compromise it. While the vulnerability is in \nVirtualBox, attacks may significantly impact additional products. Successful\nattacks of this vulnerability can result in takeover of VirtualBox  \n(CVE-2018-2676).\n\nOracle VM VirtualBox prior to 5.2.6 has easily exploitable vulnerabilities\nthat allows unauthenticated attacker with logon to the infrastructure where\nVirtualBox executes to compromise it. Successful attacks require human\ninteraction from a person other than the attacker and while the\nvulnerability is in VirtualBox, attacks may significantly impact additional\nproducts. Successful attacks of this vulnerability can result in takeover\nof VirtualBox (CVE-2018-2685, CVE-2018-2686, CVE-2018-2687, CVE-2018-2688,\nCVE-2018-2689, CVE-2018-2690).\n\nOracle VM VirtualBox Guest Additions prior to 5.2.6 has an easily exploitable\nvulnerability allows low privileged attacker with logon to the infrastructure\nwhere VirtualBox executes to compromise it. Successful attacks require human\ninteraction from a person other than the attacker and while the vulnerability\nis in VirtualBox, attacks may significantly impact additional products.\nSuccessful attacks of this vulnerability can result in takeover of VirtualBox\n(CVE-2018-2693).\n\nOracle VM VirtualBox prior to 5.2.6 has easily exploitable vulnerabilities\nthat allows low privileged attacker with logon to the infrastructure where\nVirtualBox executes to compromise it. While the vulnerability is in \nVirtualBox, attacks may significantly impact additional products. Successful\nattacks of this vulnerability can result in takeover of VirtualBox\n(CVE-2018-2694, CVE-2018-2698).\n\nFor other fixes in this update, see the referenced changelog.\n","modified":"2026-04-16T01:46:05.589254050Z","published":"2018-01-25T21:04:19Z","upstream":["CVE-2017-3736","CVE-2017-5715","CVE-2018-2676","CVE-2018-2685","CVE-2018-2686","CVE-2018-2687","CVE-2018-2688","CVE-2018-2689","CVE-2018-2690","CVE-2018-2693","CVE-2018-2694","CVE-2018-2698"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2018-0101.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=22408"},{"type":"ADVISORY","url":"http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html#AppendixOVIR"},{"type":"WEB","url":"https://www.virtualbox.org/wiki/Changelog"}],"affected":[{"package":{"name":"kmod-vboxadditions","ecosystem":"Mageia:6","purl":"pkg:rpm/mageia/kmod-vboxadditions?arch=source&distro=mageia-6"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"5.2.6-1.mga6"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2018-0101.json"}},{"package":{"name":"kmod-virtualbox","ecosystem":"Mageia:6","purl":"pkg:rpm/mageia/kmod-virtualbox?arch=source&distro=mageia-6"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"5.2.6-1.mga6"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2018-0101.json"}},{"package":{"name":"virtualbox","ecosystem":"Mageia:6","purl":"pkg:rpm/mageia/virtualbox?arch=source&distro=mageia-6"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"5.2.6-1.mga6"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2018-0101.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}