The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of VirtualBox

vulnerability note CVE-2016-5501 CVE-2016-5538 CVE-2016-5605

Oracle VM VirtualBox: vulnerabilities of October 2016

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Oracle VM VirtualBox.
Impacted products: openSUSE, openSUSE Leap, VirtualBox.
Severity: 3/4.
Consequences: administrator access/rights, privileged access/rights, user access/rights, data reading, data creation/edition, data deletion, denial of service on service.
Provenance: intranet client.
Number of vulnerabilities in this bulletin: 7.
Creation date: 19/10/2016.
Identifiers: CERTFR-2016-AVI-350, cpuoct2016, CVE-2016-5501, CVE-2016-5538, CVE-2016-5605, CVE-2016-5608, CVE-2016-5610, CVE-2016-5611, CVE-2016-5613, openSUSE-SU-2016:2623-1, openSUSE-SU-2016:2935-1, openSUSE-SU-2017:0270-1, VIGILANCE-VUL-20904.

Description of the vulnerability

Several vulnerabilities were announced in Oracle VM VirtualBox.

An attacker can use a vulnerability via VirtualBox Remote Desktop Extension (VRDE), in order to obtain or alter information. [severity:3/4; CVE-2016-5605]

An attacker can use a vulnerability via Core, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2016-5501]

An attacker can use a vulnerability via Core, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2016-5538]

An attacker can use a vulnerability via Core, in order to alter information, or to trigger a denial of service. [severity:2/4; CVE-2016-5610]

An attacker can use a vulnerability via Core, in order to trigger a denial of service. [severity:2/4; CVE-2016-5608]

An attacker can use a vulnerability via Core, in order to obtain information. [severity:2/4; CVE-2016-5611]

An attacker can use a vulnerability via Core, in order to trigger a denial of service. [severity:2/4; CVE-2016-5613]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2016-6302 CVE-2016-6303 CVE-2016-6304

OpenSSL: seven vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of OpenSSL.
Impacted products: SDS, SES, SNS, Mac OS X, Arkoon FAST360, Blue Coat CAS, ProxyAV, ProxySG par Blue Coat, SGOS by Blue Coat, Cisco ASR, Cisco Aironet, Cisco ATA, Cisco AnyConnect Secure Mobility Client, Cisco ACE, ASA, AsyncOS, Cisco Catalyst, Cisco Content SMA, Cisco ESA, IOS by Cisco, IOS XE Cisco, IOS XR Cisco, Cisco IPS, Nexus by Cisco, NX-OS, Cisco Prime Access Registrar, Prime Collaboration Assurance, Cisco Prime DCNM, Prime Infrastructure, Cisco Prime LMS, Cisco Router, Secure ACS, Cisco CUCM, Cisco Manager Attendant Console, Cisco Unified CCX, Cisco IP Phone, Cisco MeetingPlace, Cisco Wireless IP Phone, Cisco WSA, Cisco Wireless Controller, Debian, BIG-IP Hardware, TMOS, Fedora, FileZilla Server, FortiAnalyzer, FortiAnalyzer Virtual Appliance, FortiGate, FortiGate Virtual Appliance, FortiOS, FreeBSD, FreeRADIUS, hMailServer, HP Switch, AIX, DB2 UDB, IRAD, QRadar SIEM, Tivoli Storage Manager, Tivoli Workload Scheduler, WebSphere MQ, Juniper J-Series, Junos OS, Junos Space, NSM Central Manager, NSMXpress, MariaDB ~ precise, McAfee Email Gateway, ePO, MySQL Community, MySQL Enterprise, NetScreen Firewall, ScreenOS, Nodejs Core, OpenBSD, OpenSSL, openSUSE, openSUSE Leap, Oracle Communications, Oracle DB, Oracle Directory Server, Oracle Directory Services Plus, Oracle Fusion Middleware, Oracle GlassFish Server, Oracle Identity Management, Oracle iPlanet Web Server, Solaris, Tuxedo, VirtualBox, WebLogic, Oracle Web Tier, Percona Server, pfSense, Pulse Connect Secure, Pulse Secure Client, Pulse Secure SBR, Puppet, RHEL, JBoss EAP by Red Hat, SAS Add-in for Microsoft Office, SAS Analytics Pro, Base SAS Software, SAS Enterprise BI Server, SAS Enterprise Guide, SAS Management Console, SAS OLAP Server, SAS SAS/ACCESS, SAS SAS/AF, SAS SAS/CONNECT, SAS SAS/EIS, SAS SAS/ETS, SAS SAS/FSP, SAS SAS/GRAPH, SAS SAS/IML, SAS SAS/OR, SAS SAS/STAT, SAS SAS/Web Report Studio, Slackware, Splunk Enterprise, stunnel, SUSE Linux Enterprise Desktop, SLES, Synology DS***, Synology RS***, Nessus, Ubuntu, VxWorks, WinSCP.
Severity: 3/4.
Consequences: privileged access/rights, denial of service on service.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 7.
Creation date: 22/09/2016.
Identifiers: 1991866, 1991867, 1991870, 1991871, 1991875, 1991876, 1991878, 1991880, 1991882, 1991884, 1991885, 1991886, 1991887, 1991889, 1991892, 1991894, 1991896, 1991902, 1991903, 1991951, 1991955, 1991959, 1991960, 1991961, 1992681, 1993777, 1996096, 1999395, 1999421, 1999474, 1999478, 1999479, 1999488, 1999532, 2000095, 2000209, 2000544, 2002870, 2003480, 2003620, 2003673, 2008828, bulletinapr2017, bulletinjul2016, bulletinoct2016, CERTFR-2016-AVI-320, CERTFR-2016-AVI-333, cisco-sa-20160927-openssl, cpuapr2017, cpuapr2018, cpujan2017, cpujan2018, cpujul2017, cpujul2019, cpuoct2017, CVE-2016-6302, CVE-2016-6303, CVE-2016-6304, CVE-2016-6305, CVE-2016-6306, CVE-2016-6307, CVE-2016-6308, DLA-637-1, DSA-3673-1, DSA-3673-2, FEDORA-2016-97454404fe, FEDORA-2016-a555159613, FG-IR-16-047, FG-IR-16-048, FG-IR-17-127, FreeBSD-SA-16:26.openssl, HPESBHF03856, HT207423, JSA10759, openSUSE-SU-2016:2391-1, openSUSE-SU-2016:2407-1, openSUSE-SU-2016:2496-1, openSUSE-SU-2016:2537-1, openSUSE-SU-2018:0458-1, RHSA-2016:1940-01, RHSA-2016:2802-01, RHSA-2017:1548-01, RHSA-2017:1549-01, RHSA-2017:1550-01, RHSA-2017:1551-01, RHSA-2017:1552-01, RHSA-2017:1658-01, RHSA-2017:1659-01, RHSA-2017:2493-01, RHSA-2017:2494-01, SA132, SA40312, SB10171, SB10215, SOL54211024, SOL90492697, SP-CAAAPUE, SPL-129207, SSA:2016-266-01, STORM-2016-005, SUSE-SU-2016:2387-1, SUSE-SU-2016:2394-1, SUSE-SU-2016:2458-1, SUSE-SU-2016:2468-1, SUSE-SU-2016:2469-1, SUSE-SU-2016:2470-1, SUSE-SU-2016:2470-2, TNS-2016-16, USN-3087-1, USN-3087-2, VIGILANCE-VUL-20678.

Description of the vulnerability

Several vulnerabilities were announced in OpenSSL.

An attacker can create a memory over consumption via an OCSP request, in order to trigger a denial of service. [severity:3/4; CVE-2016-6304]

An attacker can make a process block itself via SSL_peek, in order to trigger a denial of service. [severity:2/4; CVE-2016-6305]

An attacker can generate a buffer overflow via MDC2_Update, in order to trigger a denial of service, and possibly to run code. [severity:1/4; CVE-2016-6303]

An attacker can generate a read only buffer overflow, in order to trigger a denial of service. [severity:1/4; CVE-2016-6302]

An attacker can generate a read only buffer overflow via the parsing of an X.509 certificate, in order to trigger a denial of service. [severity:1/4; CVE-2016-6306]

An attacker can make the server allocates a large amount of memory to process TLS packets. [severity:1/4; CVE-2016-6307]

An attacker can make the server allocates a large amount of memory to process DTLS packets. [severity:1/4; CVE-2016-6308]
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2016-3597

Oracle VM VirtualBox: denial of service

Synthesis of the vulnerability

An attacker can generate a fatal error of Oracle VM VirtualBox, in order to trigger a denial of service.
Impacted products: openSUSE, VirtualBox.
Severity: 2/4.
Consequences: denial of service on service, denial of service on client.
Provenance: document.
Creation date: 20/07/2016.
Identifiers: CERTFR-2016-AVI-245, cpujul2016, CVE-2016-3597, openSUSE-SU-2016:2314-1, VIGILANCE-VUL-20172.

Description of the vulnerability

An attacker can generate a fatal error of Oracle VM VirtualBox, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2016-3612

Oracle VM VirtualBox: information disclosure via SSL/TLS

Synthesis of the vulnerability

An attacker can bypass access restrictions to data via SSL/TLS of Oracle VM VirtualBox, in order to obtain sensitive information.
Impacted products: openSUSE, VirtualBox.
Severity: 2/4.
Consequences: data reading.
Provenance: document.
Creation date: 20/07/2016.
Identifiers: CERTFR-2016-AVI-245, cpujul2016, CVE-2016-3612, openSUSE-SU-2016:2314-1, VIGILANCE-VUL-20171.

Description of the vulnerability

An attacker can bypass access restrictions to data via SSL/TLS of Oracle VM VirtualBox, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2016-2105 CVE-2016-2106 CVE-2016-2107

OpenSSL: six vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of OpenSSL.
Impacted products: SDS, SES, SNS, Tomcat, Mac OS X, StormShield, Blue Coat CAS, ProxyAV, ProxySG par Blue Coat, Cisco ASR, Cisco Aironet, Cisco ATA, Cisco AnyConnect Secure Mobility Client, Cisco ACE, ASA, Cisco Catalyst, Cisco Content SMA, Cisco ESA, IOS by Cisco, IOS XE Cisco, IOS XR Cisco, Cisco IPS, IronPort Email, IronPort Encryption, Nexus by Cisco, NX-OS, Cisco Prime Access Registrar, Prime Collaboration Assurance, Cisco Prime DCNM, Prime Infrastructure, Cisco Prime LMS, Cisco PRSM, Cisco Router, Secure ACS, Cisco CUCM, Cisco IP Phone, Cisco MeetingPlace, Cisco Wireless IP Phone, Cisco WSA, Cisco Wireless Controller, XenServer, Debian, PowerPath, Black Diamond, ExtremeXOS, Summit, BIG-IP Hardware, TMOS, Fedora, FileZilla Server, FortiAnalyzer, FortiAnalyzer Virtual Appliance, FortiOS, FreeBSD, Android OS, HP Operations, HP Switch, AIX, IRAD, QRadar SIEM, IBM System x Server, Tivoli Storage Manager, Tivoli Workload Scheduler, WebSphere MQ, Juniper J-Series, Junos OS, Junos Space, NSM Central Manager, NSMXpress, MariaDB ~ precise, McAfee NSM, Meinberg NTP Server, MySQL Community, MySQL Enterprise, Data ONTAP 7-Mode, NETASQ, NetScreen Firewall, ScreenOS, Nodejs Core, OpenBSD, OpenSSL, openSUSE, openSUSE Leap, Oracle Communications, Oracle Directory Server, Oracle Directory Services Plus, Oracle Fusion Middleware, Oracle GlassFish Server, Oracle Identity Management, Oracle iPlanet Web Proxy Server, Oracle iPlanet Web Server, Solaris, Tuxedo, VirtualBox, WebLogic, Oracle Web Tier, Palo Alto Firewall PA***, PAN-OS, Percona Server, pfSense, Pulse Connect Secure, Puppet, Python, RHEL, JBoss EAP by Red Hat, SAS Management Console, Shibboleth SP, Slackware, Splunk Enterprise, stunnel, SUSE Linux Enterprise Desktop, SLES, Synology DSM, Synology DS***, Synology RS***, Nessus, Ubuntu, VxWorks, X2GoClient.
Severity: 3/4.
Consequences: user access/rights, data reading, data creation/edition, denial of service on service, denial of service on client.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 6.
Creation date: 03/05/2016.
Identifiers: 1982949, 1985850, 1987779, 1993215, 1995099, 1998797, 2003480, 2003620, 2003673, 510853, 9010083, bulletinapr2016, bulletinapr2017, CERTFR-2016-AVI-151, CERTFR-2016-AVI-153, CERTFR-2018-AVI-160, cisco-sa-20160504-openssl, cpuapr2017, cpujan2018, cpujul2016, cpujul2017, cpujul2018, cpuoct2016, cpuoct2017, cpuoct2018, CTX212736, CTX233832, CVE-2016-2105, CVE-2016-2106, CVE-2016-2107, CVE-2016-2108, CVE-2016-2109, CVE-2016-2176, DLA-456-1, DSA-3566-1, ESA-2017-142, FEDORA-2016-05c567df1a, FEDORA-2016-1e39d934ed, FEDORA-2016-e1234b65a2, FG-IR-16-026, FreeBSD-SA-16:17.openssl, HPESBGN03728, HPESBHF03756, HT206903, JSA10759, K23230229, K36488941, K51920288, K75152412, K93600123, MBGSA-1603, MIGR-5099595, MIGR-5099597, NTAP-20160504-0001, openSUSE-SU-2016:1237-1, openSUSE-SU-2016:1238-1, openSUSE-SU-2016:1239-1, openSUSE-SU-2016:1240-1, openSUSE-SU-2016:1241-1, openSUSE-SU-2016:1242-1, openSUSE-SU-2016:1243-1, openSUSE-SU-2016:1273-1, openSUSE-SU-2016:1566-1, openSUSE-SU-2017:0487-1, PAN-SA-2016-0020, PAN-SA-2016-0028, RHSA-2016:0722-01, RHSA-2016:0996-01, RHSA-2016:1137-01, RHSA-2016:1648-01, RHSA-2016:1649-01, RHSA-2016:1650-01, RHSA-2016:2054-01, RHSA-2016:2055-01, RHSA-2016:2056-01, RHSA-2016:2073-01, SA123, SA40202, SB10160, SOL23230229, SOL36488941, SOL51920288, SOL75152412, SP-CAAAPPQ, SPL-119440, SPL-121159, SPL-123095, SSA:2016-124-01, STORM-2016-002, SUSE-SU-2016:1206-1, SUSE-SU-2016:1228-1, SUSE-SU-2016:1231-1, SUSE-SU-2016:1233-1, SUSE-SU-2016:1267-1, SUSE-SU-2016:1290-1, SUSE-SU-2016:1360-1, SUSE-SU-2018:0112-1, TNS-2016-10, USN-2959-1, VIGILANCE-VUL-19512, VN-2016-006, VN-2016-007.

Description of the vulnerability

Several vulnerabilities were announced in OpenSSL.

An attacker can act as a Man-in-the-Middle and use the AES CBC algorithm with a server supporting AES-NI, in order to read or write data in the session. This vulnerability was initially fixed in versions 1.0.1o and 1.0.2c, but it was not disclosed at that time. [severity:3/4; CVE-2016-2108]

An attacker can act as a Man-in-the-Middle and use the AES CBC algorithm with a server supporting AES-NI, in order to read or write data in the session. [severity:3/4; CVE-2016-2107]

An attacker can generate a buffer overflow in EVP_EncodeUpdate(), which is mainly used by command line applications, in order to trigger a denial of service, and possibly to run code. [severity:2/4; CVE-2016-2105]

An attacker can generate a buffer overflow in EVP_EncryptUpdate(), which is difficult to reach, in order to trigger a denial of service, and possibly to run code. [severity:2/4; CVE-2016-2106]

An attacker can trigger an excessive memory usage in d2i_CMS_bio(), in order to trigger a denial of service. [severity:2/4; CVE-2016-2109]

An attacker can force a read at an invalid address in applications using X509_NAME_oneline(), in order to trigger a denial of service, or to obtain sensitive information. [severity:2/4; CVE-2016-2176]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2015-3195 CVE-2015-3197 CVE-2016-0678

Oracle VM VirtualBox: three vulnerabilities of April 2016

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Oracle VM VirtualBox.
Impacted products: openSUSE, openSUSE Leap, VirtualBox.
Severity: 2/4.
Consequences: privileged access/rights, user access/rights, data reading, data creation/edition, data deletion, denial of service on service, denial of service on client.
Provenance: user shell.
Number of vulnerabilities in this bulletin: 3.
Creation date: 20/04/2016.
Identifiers: CERTFR-2016-AVI-137, cpuapr2016, CVE-2015-3195, CVE-2015-3197, CVE-2016-0678, openSUSE-SU-2016:1451-1, openSUSE-SU-2016:1462-1, VIGILANCE-VUL-19418.

Description of the vulnerability

Several vulnerabilities were announced in Oracle VM VirtualBox.

An attacker can use a vulnerability of HTTPS, in order to trigger a denial of service (VIGILANCE-VUL-18436). [severity:2/4; CVE-2015-3195]

An attacker can use a vulnerability, in order to obtain information, to alter information, or to trigger a denial of service. [severity:2/4; CVE-2016-0678]

An attacker can use a vulnerability of HTTPS, in order to obtain information (VIGILANCE-VUL-18837). [severity:2/4; CVE-2015-3197]
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2015-5307 CVE-2015-7183 CVE-2015-8104

Oracle VM VirtualBox: multiple vulnerabilities of January 2016

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Oracle VM VirtualBox.
Impacted products: Debian, openSUSE, VirtualBox, RHEL, SUSE Linux Enterprise Desktop, SLES.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights, user access/rights, data reading, data creation/edition, data deletion, denial of service on service.
Provenance: intranet client.
Number of vulnerabilities in this bulletin: 6.
Creation date: 20/01/2016.
Revision date: 22/01/2016.
Identifiers: CERTFR-2016-AVI-029, CERTFR-2016-AVI-050, cpujan2016, CVE-2015-5307, CVE-2015-7183, CVE-2015-8104, CVE-2016-0495, CVE-2016-0592, CVE-2016-0602, DSA-3454-1, openSUSE-SU-2016:0301-1, RHSA-2016:0103-01, SUSE-SU-2016:0354-1, SUSE-SU-2016:0658-1, VIGILANCE-VUL-18763.

Description of the vulnerability

Several vulnerabilities were announced in Oracle VM VirtualBox.

An attacker can use a vulnerability of Core, in order to obtain information, to alter information, or to trigger a denial of service. [severity:2/4; CVE-2015-7183]

An attacker can use a vulnerability of Windows Installer, in order to obtain information, to alter information, or to trigger a denial of service. [severity:2/4; CVE-2016-0602]

An attacker can use a vulnerability of Core, in order to trigger a denial of service. [severity:2/4; CVE-2015-5307]

An attacker can use a vulnerability of Core, in order to trigger a denial of service. [severity:2/4; CVE-2015-8104]

An attacker can use a vulnerability of Core, in order to trigger a denial of service. [severity:2/4; CVE-2016-0495]

An attacker can use a vulnerability of Core, in order to trigger a denial of service. [severity:1/4; CVE-2016-0592]
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2015-4813 CVE-2015-4856 CVE-2015-4896

Oracle VM VirtualBox: several vulnerabilities of October 2015

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Oracle VM VirtualBox.
Impacted products: Debian, openSUSE, VirtualBox.
Severity: 2/4.
Consequences: denial of service on service.
Provenance: intranet client.
Number of vulnerabilities in this bulletin: 3.
Creation date: 21/10/2015.
Identifiers: CERTFR-2015-AVI-443, cpuoct2015, CVE-2015-4813, CVE-2015-4856, CVE-2015-4896, DSA-3384-1, openSUSE-SU-2015:1855-1, openSUSE-SU-2015:2154-1, VIGILANCE-VUL-18151.

Description of the vulnerability

Several vulnerabilities were announced in Oracle VM VirtualBox.

An attacker can use a vulnerability of Core, in order to trigger a denial of service. [severity:2/4; CVE-2015-4856]

An attacker can use a vulnerability of Core, in order to trigger a denial of service. [severity:1/4; CVE-2015-4813]

An attacker can use a vulnerability of Core, in order to trigger a denial of service. [severity:2/4; CVE-2015-4896]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2015-2594

VirtualBox: vulnerability

Synthesis of the vulnerability

A vulnerability of VirtualBox was announced.
Impacted products: Debian, openSUSE, VirtualBox.
Severity: 2/4.
Consequences: unknown consequence, administrator access/rights, privileged access/rights, user access/rights, client access/rights, data reading, data creation/edition, data deletion, data flow, denial of service on server, denial of service on service, denial of service on client, disguisement.
Provenance: user shell.
Creation date: 18/08/2015.
Identifiers: CVE-2015-2594, DSA-3359-1, openSUSE-SU-2015:1400-1, VIGILANCE-VUL-17699.

Description of the vulnerability

A vulnerability of VirtualBox was announced.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about VirtualBox: