Bug 951432 - (CVE-2015-4813) VUL-0: CVE-2015-4813,CVE-2015-4856,CVE-2015-4896: virtualbox: Oracle Critical Patch Update October 2015
(CVE-2015-4813)
VUL-0: CVE-2015-4813,CVE-2015-4856,CVE-2015-4896: virtualbox: Oracle Critical...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other openSUSE 13.2
: P3 - Medium : Normal
: ---
Assigned To: Larry Finger
Security Team bot
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-10-21 15:37 UTC by Andreas Stieger
Modified: 2015-11-30 13:10 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2015-10-21 15:37:10 UTC
http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html#AppendixOVIR

This Critical Patch Update contains 3 new security fixes for Oracle Virtualization. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.

CVE-2015-4813 - VirtualBox prior to 4.0.34, 4.1.42, 4.2.34, 4.3.32, 5.0.8
CVSSv2: 2.1 (AV:L/AC:L/Au:N/C:N/I:N/A:P)

CVE-2015-4856 - VirtualBox prior to 4.0.30, 4.1.38, 4.2.30, 4.3.26, 5.0.0
CVSSv2: 4.9 (AV:L/AC:L/Au:N/C:N/I:N/A:C)

CVE-2015-4896 - VirtualBox prior to 4.0.34, 4.1.42, 4.2.34, 4.3.32, 5.0.8
CVSSv2: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)

Other changes see https://www.virtualbox.org/wiki/Changelog
Comment 1 Larry Finger 2015-10-21 17:59:39 UTC
The fix for CVE-2015-4856 is already in the openSUSE-distributed versions of VB.

The other two vulnerabilities are fixed in VB 5.0.8, 4.3.32, and 4.2.34.

Version 5.0.8, used in Factory, Tumbleweed, and Leap 42.1, has been submitted to OBS.

Version 4.3.32, used in 13.2, has also been submitted to OBS.

Version 4.2.34, used in 13.1, currently has a build error in the 32-bit version, but it will be sent to OBS as soon as possible.
Comment 2 Swamp Workflow Management 2015-10-21 22:00:24 UTC
bugbot adjusting priority
Comment 3 Andreas Stieger 2015-10-24 18:26:27 UTC
13.2 Update is running, looking for 13.1 update when it's ready
Comment 4 Larry Finger 2015-10-24 19:59:59 UTC
(In reply to Andreas Stieger from comment #3)
> 13.2 Update is running, looking for 13.1 update when it's ready

That may take a while. Building 4.2.34 for 13.1 results in the following error:

[  866s]  # error "CONFIG_X86_SMAP is only supported by 4.3 and higher. Please upgrade VirtualBox."

It appears that CONFIG_X86_SMAP has recently been added to the 13.1 kernel, and that VB 4.3.32 will need to be used rather than 4.2.34. I'm still considering the implications of that change.
Comment 5 Bernhard Wiedemann 2015-10-26 07:00:07 UTC
This is an autogenerated message for OBS integration:
This bug (951432) was mentioned in
https://build.opensuse.org/request/show/340909 Factory / virtualbox
Comment 6 Swamp Workflow Management 2015-11-01 09:10:02 UTC
openSUSE-SU-2015:1855-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 951432
CVE References: CVE-2015-4813,CVE-2015-4896
Sources used:
openSUSE 13.2 (src):    virtualbox-4.3.32-32.2
Comment 7 Sebastian Krahmer 2015-11-30 09:45:14 UTC
released
Comment 8 Swamp Workflow Management 2015-11-30 13:10:53 UTC
openSUSE-SU-2015:2154-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 951432
CVE References: CVE-2015-4813,CVE-2015-4896
Sources used:
openSUSE 13.1 (src):    virtualbox-4.2.36-2.52.2