The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of VirtualBox

vulnerability alert CVE-2017-3733

OpenSSL: denial of service via the "Encrypt-Then-Mac" option

Synthesis of the vulnerability

An attacker can change the state of the "Encrypt-Then-Mac" TLS option in a renegotiation with a server or client based on OpenSSL, in order to trigger a denial of service.
Severity: 2/4.
Creation date: 16/02/2017.
Identifiers: 2003480, 2003620, 2003673, 2004940, CERTFR-2017-AVI-035, cisco-sa-20170130-openssl, cpuapr2019, cpujan2018, cpuoct2017, CVE-2017-3733, HPESBGN03728, VIGILANCE-VUL-21871.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

OpenSSL implements the possibility of renegotiation of TLS option and parameters during a session.

However, for some combinations of algorithms, the negation of the state of the option "Encrypt-Then-Mac" generates a fatal error.

An attacker can therefore change the state of the "Encrypt-Then-Mac" TLS option in a renegotiation with a server or client based on OpenSSL, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

weakness announce CVE-2016-7055 CVE-2017-3730 CVE-2017-3731

OpenSSL: multiple vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of OpenSSL.
Severity: 2/4.
Number of vulnerabilities in this bulletin: 4.
Creation date: 26/01/2017.
Identifiers: 1117414, 2000544, 2000988, 2000990, 2002331, 2004036, 2004940, 2009389, 2010154, 2011567, 2012827, 2014202, 2014651, 2014669, 2015080, BSA-2016-204, BSA-2016-207, BSA-2016-211, BSA-2016-212, BSA-2016-213, BSA-2016-216, BSA-2016-234, bulletinapr2017, bulletinjan2018, bulletinoct2017, CERTFR-2017-AVI-035, CERTFR-2018-AVI-343, cisco-sa-20170130-openssl, cpuapr2017, cpuapr2019, cpujan2018, cpujul2017, cpujul2018, cpuoct2017, CVE-2016-7055, CVE-2017-3730, CVE-2017-3731, CVE-2017-3732, DLA-814-1, DSA-3773-1, FEDORA-2017-3451dbec48, FEDORA-2017-e853b4144f, FG-IR-17-019, FreeBSD-SA-17:02.openssl, ibm10732391, ibm10733905, ibm10738249, ibm10738401, JSA10775, K37526132, K43570545, K44512851, K-510805, NTAP-20170127-0001, NTAP-20170310-0002, NTAP-20180201-0001, openSUSE-SU-2017:0481-1, openSUSE-SU-2017:0487-1, openSUSE-SU-2017:0527-1, openSUSE-SU-2017:0941-1, openSUSE-SU-2017:2011-1, openSUSE-SU-2017:2868-1, openSUSE-SU-2018:0458-1, PAN-70674, PAN-73914, PAN-SA-2017-0012, PAN-SA-2017-0014, PAN-SA-2017-0016, RHSA-2017:0286-01, RHSA-2018:2568-01, RHSA-2018:2575-01, SA141, SA40423, SB10188, SSA:2017-041-02, SUSE-SU-2018:0112-1, SUSE-SU-2018:2839-1, SUSE-SU-2018:3082-1, TNS-2017-03, USN-3181-1, VIGILANCE-VUL-21692.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

Several vulnerabilities were announced in OpenSSL.

An attacker can force a read at an invalid address via Truncated Packet, in order to trigger a denial of service, or to obtain sensitive information. [severity:2/4; CVE-2017-3731]

An attacker can force a NULL pointer to be dereferenced via DHE/ECDHE Parameters, in order to trigger a denial of service. [severity:2/4; CVE-2017-3730]

An attacker can use a carry propagation error via BN_mod_exp(), in order to compute the private key. [severity:1/4; CVE-2017-3732]

An error occurs in the Broadwell-specific Montgomery Multiplication Procedure, but with no apparent impact. [severity:1/4; CVE-2016-7055]
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2016-5545 CVE-2017-3290 CVE-2017-3316

Oracle VirtualBox: vulnerabilities of January 2017

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Oracle VirtualBox.
Severity: 3/4.
Number of vulnerabilities in this bulletin: 4.
Creation date: 18/01/2017.
Identifiers: 1037, CERTFR-2017-AVI-019, cpujan2017, CVE-2016-5545, CVE-2017-3290, CVE-2017-3316, CVE-2017-3332, openSUSE-SU-2017:0332-1, openSUSE-SU-2017:0382-1, VIGILANCE-VUL-21611.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

Several vulnerabilities were announced in Oracle VirtualBox.

An attacker can use a vulnerability via GUI, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2017-3316]

An attacker can use a vulnerability via VirtualBox SVGA Emulation, in order to alter information, or to trigger a denial of service. [severity:3/4; CVE-2017-3332]

An attacker can use a vulnerability via Shared Folder, in order to alter information, or to trigger a denial of service. [severity:3/4; CVE-2017-3290]

An attacker can use a vulnerability via GUI, in order to obtain information, to alter information, or to trigger a denial of service. [severity:2/4; CVE-2016-5545]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2016-5501 CVE-2016-5538 CVE-2016-5605

Oracle VM VirtualBox: vulnerabilities of October 2016

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Oracle VM VirtualBox.
Severity: 3/4.
Number of vulnerabilities in this bulletin: 7.
Creation date: 19/10/2016.
Identifiers: CERTFR-2016-AVI-350, cpuoct2016, CVE-2016-5501, CVE-2016-5538, CVE-2016-5605, CVE-2016-5608, CVE-2016-5610, CVE-2016-5611, CVE-2016-5613, openSUSE-SU-2016:2623-1, openSUSE-SU-2016:2935-1, openSUSE-SU-2017:0270-1, VIGILANCE-VUL-20904.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

Several vulnerabilities were announced in Oracle VM VirtualBox.

An attacker can use a vulnerability via VirtualBox Remote Desktop Extension (VRDE), in order to obtain or alter information. [severity:3/4; CVE-2016-5605]

An attacker can use a vulnerability via Core, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2016-5501]

An attacker can use a vulnerability via Core, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2016-5538]

An attacker can use a vulnerability via Core, in order to alter information, or to trigger a denial of service. [severity:2/4; CVE-2016-5610]

An attacker can use a vulnerability via Core, in order to trigger a denial of service. [severity:2/4; CVE-2016-5608]

An attacker can use a vulnerability via Core, in order to obtain information. [severity:2/4; CVE-2016-5611]

An attacker can use a vulnerability via Core, in order to trigger a denial of service. [severity:2/4; CVE-2016-5613]
Full Vigil@nce bulletin... (Free trial)

cybersecurity announce CVE-2016-6302 CVE-2016-6303 CVE-2016-6304

OpenSSL: seven vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of OpenSSL.
Severity: 3/4.
Number of vulnerabilities in this bulletin: 7.
Creation date: 22/09/2016.
Identifiers: 1991866, 1991867, 1991870, 1991871, 1991875, 1991876, 1991878, 1991880, 1991882, 1991884, 1991885, 1991886, 1991887, 1991889, 1991892, 1991894, 1991896, 1991902, 1991903, 1991951, 1991955, 1991959, 1991960, 1991961, 1992681, 1993777, 1996096, 1999395, 1999421, 1999474, 1999478, 1999479, 1999488, 1999532, 2000095, 2000209, 2000544, 2002870, 2003480, 2003620, 2003673, 2008828, bulletinapr2017, bulletinjul2016, bulletinoct2016, CERTFR-2016-AVI-320, CERTFR-2016-AVI-333, cisco-sa-20160927-openssl, cpuapr2017, cpuapr2018, cpujan2017, cpujan2018, cpujul2017, cpujul2019, cpuoct2017, CVE-2016-6302, CVE-2016-6303, CVE-2016-6304, CVE-2016-6305, CVE-2016-6306, CVE-2016-6307, CVE-2016-6308, DLA-637-1, DSA-3673-1, DSA-3673-2, FEDORA-2016-97454404fe, FEDORA-2016-a555159613, FG-IR-16-047, FG-IR-16-048, FG-IR-17-127, FreeBSD-SA-16:26.openssl, HPESBHF03856, HT207423, JSA10759, openSUSE-SU-2016:2391-1, openSUSE-SU-2016:2407-1, openSUSE-SU-2016:2496-1, openSUSE-SU-2016:2537-1, openSUSE-SU-2018:0458-1, RHSA-2016:1940-01, RHSA-2016:2802-01, RHSA-2017:1548-01, RHSA-2017:1549-01, RHSA-2017:1550-01, RHSA-2017:1551-01, RHSA-2017:1552-01, RHSA-2017:1658-01, RHSA-2017:1659-01, RHSA-2017:2493-01, RHSA-2017:2494-01, SA132, SA40312, SB10171, SB10215, SOL54211024, SOL90492697, SP-CAAAPUE, SPL-129207, SSA:2016-266-01, STORM-2016-005, SUSE-SU-2016:2387-1, SUSE-SU-2016:2394-1, SUSE-SU-2016:2458-1, SUSE-SU-2016:2468-1, SUSE-SU-2016:2469-1, SUSE-SU-2016:2470-1, SUSE-SU-2016:2470-2, TNS-2016-16, USN-3087-1, USN-3087-2, VIGILANCE-VUL-20678.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

Several vulnerabilities were announced in OpenSSL.

An attacker can create a memory over consumption via an OCSP request, in order to trigger a denial of service. [severity:3/4; CVE-2016-6304]

An attacker can make a process block itself via SSL_peek, in order to trigger a denial of service. [severity:2/4; CVE-2016-6305]

An attacker can generate a buffer overflow via MDC2_Update, in order to trigger a denial of service, and possibly to run code. [severity:1/4; CVE-2016-6303]

An attacker can generate a read only buffer overflow, in order to trigger a denial of service. [severity:1/4; CVE-2016-6302]

An attacker can generate a read only buffer overflow via the parsing of an X.509 certificate, in order to trigger a denial of service. [severity:1/4; CVE-2016-6306]

An attacker can make the server allocates a large amount of memory to process TLS packets. [severity:1/4; CVE-2016-6307]

An attacker can make the server allocates a large amount of memory to process DTLS packets. [severity:1/4; CVE-2016-6308]
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2016-3597

Oracle VM VirtualBox: denial of service

Synthesis of the vulnerability

An attacker can generate a fatal error of Oracle VM VirtualBox, in order to trigger a denial of service.
Severity: 2/4.
Creation date: 20/07/2016.
Identifiers: CERTFR-2016-AVI-245, cpujul2016, CVE-2016-3597, openSUSE-SU-2016:2314-1, VIGILANCE-VUL-20172.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

An attacker can generate a fatal error of Oracle VM VirtualBox, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

weakness CVE-2016-3612

Oracle VM VirtualBox: information disclosure via SSL/TLS

Synthesis of the vulnerability

An attacker can bypass access restrictions to data via SSL/TLS of Oracle VM VirtualBox, in order to obtain sensitive information.
Severity: 2/4.
Creation date: 20/07/2016.
Identifiers: CERTFR-2016-AVI-245, cpujul2016, CVE-2016-3612, openSUSE-SU-2016:2314-1, VIGILANCE-VUL-20171.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

An attacker can bypass access restrictions to data via SSL/TLS of Oracle VM VirtualBox, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2016-2105 CVE-2016-2106 CVE-2016-2107

OpenSSL: six vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of OpenSSL.
Severity: 3/4.
Number of vulnerabilities in this bulletin: 6.
Creation date: 03/05/2016.
Identifiers: 1982949, 1985850, 1987779, 1993215, 1995099, 1998797, 2003480, 2003620, 2003673, 510853, 9010083, bulletinapr2016, bulletinapr2017, CERTFR-2016-AVI-151, CERTFR-2016-AVI-153, CERTFR-2018-AVI-160, cisco-sa-20160504-openssl, cpuapr2017, cpujan2018, cpujul2016, cpujul2017, cpujul2018, cpuoct2016, cpuoct2017, cpuoct2018, CTX212736, CTX233832, CVE-2016-2105, CVE-2016-2106, CVE-2016-2107, CVE-2016-2108, CVE-2016-2109, CVE-2016-2176, DLA-456-1, DSA-3566-1, ESA-2017-142, FEDORA-2016-05c567df1a, FEDORA-2016-1e39d934ed, FEDORA-2016-e1234b65a2, FG-IR-16-026, FreeBSD-SA-16:17.openssl, HPESBGN03728, HPESBHF03756, HT206903, JSA10759, K23230229, K36488941, K51920288, K75152412, K93600123, MBGSA-1603, MIGR-5099595, MIGR-5099597, NTAP-20160504-0001, openSUSE-SU-2016:1237-1, openSUSE-SU-2016:1238-1, openSUSE-SU-2016:1239-1, openSUSE-SU-2016:1240-1, openSUSE-SU-2016:1241-1, openSUSE-SU-2016:1242-1, openSUSE-SU-2016:1243-1, openSUSE-SU-2016:1273-1, openSUSE-SU-2016:1566-1, openSUSE-SU-2017:0487-1, PAN-SA-2016-0020, PAN-SA-2016-0028, RHSA-2016:0722-01, RHSA-2016:0996-01, RHSA-2016:1137-01, RHSA-2016:1648-01, RHSA-2016:1649-01, RHSA-2016:1650-01, RHSA-2016:2054-01, RHSA-2016:2055-01, RHSA-2016:2056-01, RHSA-2016:2073-01, SA123, SA40202, SB10160, SOL23230229, SOL36488941, SOL51920288, SOL75152412, SP-CAAAPPQ, SPL-119440, SPL-121159, SPL-123095, SSA:2016-124-01, STORM-2016-002, SUSE-SU-2016:1206-1, SUSE-SU-2016:1228-1, SUSE-SU-2016:1231-1, SUSE-SU-2016:1233-1, SUSE-SU-2016:1267-1, SUSE-SU-2016:1290-1, SUSE-SU-2016:1360-1, SUSE-SU-2018:0112-1, TNS-2016-10, USN-2959-1, VIGILANCE-VUL-19512, VN-2016-006, VN-2016-007.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

Several vulnerabilities were announced in OpenSSL.

An attacker can act as a Man-in-the-Middle and use the AES CBC algorithm with a server supporting AES-NI, in order to read or write data in the session. This vulnerability was initially fixed in versions 1.0.1o and 1.0.2c, but it was not disclosed at that time. [severity:3/4; CVE-2016-2108]

An attacker can act as a Man-in-the-Middle and use the AES CBC algorithm with a server supporting AES-NI, in order to read or write data in the session. [severity:3/4; CVE-2016-2107]

An attacker can generate a buffer overflow in EVP_EncodeUpdate(), which is mainly used by command line applications, in order to trigger a denial of service, and possibly to run code. [severity:2/4; CVE-2016-2105]

An attacker can generate a buffer overflow in EVP_EncryptUpdate(), which is difficult to reach, in order to trigger a denial of service, and possibly to run code. [severity:2/4; CVE-2016-2106]

An attacker can trigger an excessive memory usage in d2i_CMS_bio(), in order to trigger a denial of service. [severity:2/4; CVE-2016-2109]

An attacker can force a read at an invalid address in applications using X509_NAME_oneline(), in order to trigger a denial of service, or to obtain sensitive information. [severity:2/4; CVE-2016-2176]
Full Vigil@nce bulletin... (Free trial)

weakness bulletin CVE-2015-3195 CVE-2015-3197 CVE-2016-0678

Oracle VM VirtualBox: three vulnerabilities of April 2016

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Oracle VM VirtualBox.
Severity: 2/4.
Number of vulnerabilities in this bulletin: 3.
Creation date: 20/04/2016.
Identifiers: CERTFR-2016-AVI-137, cpuapr2016, CVE-2015-3195, CVE-2015-3197, CVE-2016-0678, openSUSE-SU-2016:1451-1, openSUSE-SU-2016:1462-1, VIGILANCE-VUL-19418.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

Several vulnerabilities were announced in Oracle VM VirtualBox.

An attacker can use a vulnerability of HTTPS, in order to trigger a denial of service (VIGILANCE-VUL-18436). [severity:2/4; CVE-2015-3195]

An attacker can use a vulnerability, in order to obtain information, to alter information, or to trigger a denial of service. [severity:2/4; CVE-2016-0678]

An attacker can use a vulnerability of HTTPS, in order to obtain information (VIGILANCE-VUL-18837). [severity:2/4; CVE-2015-3197]
Full Vigil@nce bulletin... (Free trial)

weakness CVE-2015-5307 CVE-2015-7183 CVE-2015-8104

Oracle VM VirtualBox: multiple vulnerabilities of January 2016

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Oracle VM VirtualBox.
Severity: 2/4.
Number of vulnerabilities in this bulletin: 6.
Creation date: 20/01/2016.
Revision date: 22/01/2016.
Identifiers: CERTFR-2016-AVI-029, CERTFR-2016-AVI-050, cpujan2016, CVE-2015-5307, CVE-2015-7183, CVE-2015-8104, CVE-2016-0495, CVE-2016-0592, CVE-2016-0602, DSA-3454-1, openSUSE-SU-2016:0301-1, RHSA-2016:0103-01, SUSE-SU-2016:0354-1, SUSE-SU-2016:0658-1, VIGILANCE-VUL-18763.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

Several vulnerabilities were announced in Oracle VM VirtualBox.

An attacker can use a vulnerability of Core, in order to obtain information, to alter information, or to trigger a denial of service. [severity:2/4; CVE-2015-7183]

An attacker can use a vulnerability of Windows Installer, in order to obtain information, to alter information, or to trigger a denial of service. [severity:2/4; CVE-2016-0602]

An attacker can use a vulnerability of Core, in order to trigger a denial of service. [severity:2/4; CVE-2015-5307]

An attacker can use a vulnerability of Core, in order to trigger a denial of service. [severity:2/4; CVE-2015-8104]

An attacker can use a vulnerability of Core, in order to trigger a denial of service. [severity:2/4; CVE-2016-0495]

An attacker can use a vulnerability of Core, in order to trigger a denial of service. [severity:1/4; CVE-2016-0592]
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about VirtualBox: