Action not permitted
Modal body text goes here.
Modal Title
Modal Body
WID-SEC-W-2024-2008
Vulnerability from csaf_certbund
Published
2018-01-16 23:00
Modified
2024-09-02 22:00
Summary
Oracle Virtualization: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Oracle Secure Global Desktop bietet einen sicheren Zugang zu zentralisierten, serverbasierten Windows, UNIX und "leagacy" Applikationen von verschiedenen Client-Geräten.
Oracle VM Virtual Box ist eine Virtualisierungsplattform, die das Host Betriebssystem beinhaltet.
Angriff
Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Oracle Secure Global Desktop und Oracle VM Virtual Box ausnutzen, um die Verfügbarkeit, Vertraulichkeit und Integrität zu gefährden.
Betroffene Betriebssysteme
- Linux
- UNIX
- Windows
{ document: { aggregate_severity: { text: "hoch", }, category: "csaf_base", csaf_version: "2.0", distribution: { tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "de-DE", notes: [ { category: "legal_disclaimer", text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.", }, { category: "description", text: "Oracle Secure Global Desktop bietet einen sicheren Zugang zu zentralisierten, serverbasierten Windows, UNIX und \"leagacy\" Applikationen von verschiedenen Client-Geräten.\r\nOracle VM Virtual Box ist eine Virtualisierungsplattform, die das Host Betriebssystem beinhaltet.", title: "Produktbeschreibung", }, { category: "summary", text: "Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Oracle Secure Global Desktop und Oracle VM Virtual Box ausnutzen, um die Verfügbarkeit, Vertraulichkeit und Integrität zu gefährden.", title: "Angriff", }, { category: "general", text: "- Linux\n- UNIX\n- Windows", title: "Betroffene Betriebssysteme", }, ], publisher: { category: "other", contact_details: "csaf-provider@cert-bund.de", name: "Bundesamt für Sicherheit in der Informationstechnik", namespace: "https://www.bsi.bund.de", }, references: [ { category: "self", summary: "WID-SEC-W-2024-2008 - CSAF Version", url: "https://wid.cert-bund.de/.well-known/csaf/white/2018/wid-sec-w-2024-2008.json", }, { category: "self", summary: "WID-SEC-2024-2008 - Portal Version", url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-2008", }, { category: "external", summary: "Oracle Critical Patch Update Advisory - Januar 2018 - Virtualization vom 2018-01-16", url: "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html#AppendixOVIR", }, { category: "external", summary: "NetApp Security Advisory NTAP-20180117-0002 vom 2018-01-18", url: "https://security.netapp.com/advisory/ntap-20180117-0002/", }, { category: "external", summary: "Oracle Linux Security Advisory ELSA-2018-0093 vom 2018-01-18", url: "http://linux.oracle.com/errata/ELSA-2018-0093.html", }, { category: "external", summary: "Oracle Linux Security Advisory ELSA-2018-4012 vom 2018-01-19", url: "http://linux.oracle.com/errata/ELSA-2018-4012.html", }, { category: "external", summary: "Red Hat Security Advisory RHSA-2018:1196 vom 2018-04-24", url: "https://access.redhat.com/errata/RHSA-2018:1196", }, { category: "external", summary: "Oracle VM Server für x86 Bulletin - Juli 2019", url: "https://www.oracle.com/technetwork/topics/security/ovmbulletinjul2019-5600406.html", }, { category: "external", summary: "Oracle Linux Security Advisory ELSA-2024-12605 vom 2024-09-02", url: "https://linux.oracle.com/errata/ELSA-2024-12605.html", }, { category: "external", summary: "Oracle Linux Security Advisory ELSA-2024-12604 vom 2024-09-02", url: "https://linux.oracle.com/errata/ELSA-2024-12604.html", }, ], source_lang: "en-US", title: "Oracle Virtualization: Mehrere Schwachstellen", tracking: { current_release_date: "2024-09-02T22:00:00.000+00:00", generator: { date: "2024-09-03T08:16:47.014+00:00", engine: { name: "BSI-WID", version: "1.3.6", }, }, id: "WID-SEC-W-2024-2008", initial_release_date: "2018-01-16T23:00:00.000+00:00", revision_history: [ { date: "2018-01-16T23:00:00.000+00:00", number: "1", summary: "Initial Release", }, { date: "2018-01-16T23:00:00.000+00:00", number: "2", summary: "Version nicht vorhanden", }, { date: "2018-01-17T23:00:00.000+00:00", number: "3", summary: "New remediations available", }, { date: "2018-01-21T23:00:00.000+00:00", number: "4", summary: "New remediations available", }, { date: "2018-02-11T23:00:00.000+00:00", number: "5", summary: "Added references", }, { date: "2018-06-05T22:00:00.000+00:00", number: "6", summary: "Added references", }, { date: "2024-09-02T22:00:00.000+00:00", number: "7", summary: "Neue Updates von Oracle Linux aufgenommen", }, ], status: "final", version: "7", }, }, product_tree: { branches: [ { branches: [ { category: "product_name", name: "Oracle Linux", product: { name: "Oracle Linux", product_id: "T004914", product_identification_helper: { cpe: "cpe:/o:oracle:linux:-", }, }, }, { branches: [ { category: "product_version", name: "5.3", product: { name: "Oracle Secure Global Desktop 5.3", product_id: "T011009", product_identification_helper: { cpe: "cpe:/a:oracle:secure_global_desktop:5.3", }, }, }, ], category: "product_name", name: "Secure Global Desktop", }, { branches: [ { category: "product_version_range", name: "<5.1.32", product: { name: "Oracle VM Virtual Box <5.1.32", product_id: "T011675", }, }, { category: "product_version", name: "5.1.32", product: { name: "Oracle VM Virtual Box 5.1.32", product_id: "T011675-fixed", product_identification_helper: { cpe: "cpe:/a:oracle:vm_virtualbox:5.1.32", }, }, }, { category: "product_version_range", name: "<5.2.6", product: { name: "Oracle VM Virtual Box <5.2.6", product_id: "T011676", }, }, { category: "product_version", name: "5.2.6", product: { name: "Oracle VM Virtual Box 5.2.6", product_id: "T011676-fixed", product_identification_helper: { cpe: "cpe:/a:oracle:vm_virtualbox:5.2.6", }, }, }, ], category: "product_name", name: "VM Virtual Box", }, ], category: "vendor", name: "Oracle", }, { branches: [ { category: "product_name", name: "Red Hat Enterprise Linux", product: { name: "Red Hat Enterprise Linux", product_id: "67646", product_identification_helper: { cpe: "cpe:/o:redhat:enterprise_linux:-", }, }, }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2017-3735", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Oracle Secure Global Desktop und Oracle VM Virtual Box. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Authentifizierung und keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T011009", "T011676", "67646", "T011675", "T004914", ], }, release_date: "2018-01-16T23:00:00.000+00:00", title: "CVE-2017-3735", }, { cve: "CVE-2017-3736", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Oracle Secure Global Desktop und Oracle VM Virtual Box. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Authentifizierung und keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T011009", "T011676", "67646", "T011675", "T004914", ], }, release_date: "2018-01-16T23:00:00.000+00:00", title: "CVE-2017-3736", }, { cve: "CVE-2017-5645", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Oracle Secure Global Desktop und Oracle VM Virtual Box. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Authentifizierung und keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T011009", "T011676", "67646", "T011675", "T004914", ], }, release_date: "2018-01-16T23:00:00.000+00:00", title: "CVE-2017-5645", }, { cve: "CVE-2017-5715", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Oracle Secure Global Desktop und Oracle VM Virtual Box. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Authentifizierung und keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T011009", "T011676", "67646", "T011675", "T004914", ], }, release_date: "2018-01-16T23:00:00.000+00:00", title: "CVE-2017-5715", }, { cve: "CVE-2018-2676", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Oracle Secure Global Desktop und Oracle VM Virtual Box. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Authentifizierung und keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T011009", "T011676", "67646", "T011675", "T004914", ], }, release_date: "2018-01-16T23:00:00.000+00:00", title: "CVE-2018-2676", }, { cve: "CVE-2018-2685", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Oracle Secure Global Desktop und Oracle VM Virtual Box. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Authentifizierung und keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T011009", "T011676", "67646", "T011675", "T004914", ], }, release_date: "2018-01-16T23:00:00.000+00:00", title: "CVE-2018-2685", }, { cve: "CVE-2018-2686", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Oracle Secure Global Desktop und Oracle VM Virtual Box. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Authentifizierung und keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T011009", "T011676", "67646", "T011675", "T004914", ], }, release_date: "2018-01-16T23:00:00.000+00:00", title: "CVE-2018-2686", }, { cve: "CVE-2018-2687", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Oracle Secure Global Desktop und Oracle VM Virtual Box. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Authentifizierung und keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T011009", "T011676", "67646", "T011675", "T004914", ], }, release_date: "2018-01-16T23:00:00.000+00:00", title: "CVE-2018-2687", }, { cve: "CVE-2018-2688", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Oracle Secure Global Desktop und Oracle VM Virtual Box. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Authentifizierung und keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T011009", "T011676", "67646", "T011675", "T004914", ], }, release_date: "2018-01-16T23:00:00.000+00:00", title: "CVE-2018-2688", }, { cve: "CVE-2018-2689", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Oracle Secure Global Desktop und Oracle VM Virtual Box. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Authentifizierung und keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T011009", "T011676", "67646", "T011675", "T004914", ], }, release_date: "2018-01-16T23:00:00.000+00:00", title: "CVE-2018-2689", }, { cve: "CVE-2018-2690", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Oracle Secure Global Desktop und Oracle VM Virtual Box. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Authentifizierung und keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T011009", "T011676", "67646", "T011675", "T004914", ], }, release_date: "2018-01-16T23:00:00.000+00:00", title: "CVE-2018-2690", }, { cve: "CVE-2018-2693", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Oracle Secure Global Desktop und Oracle VM Virtual Box. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Authentifizierung und keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T011009", "T011676", "67646", "T011675", "T004914", ], }, release_date: "2018-01-16T23:00:00.000+00:00", title: "CVE-2018-2693", }, { cve: "CVE-2018-2694", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Oracle Secure Global Desktop und Oracle VM Virtual Box. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Authentifizierung und keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T011009", "T011676", "67646", "T011675", "T004914", ], }, release_date: "2018-01-16T23:00:00.000+00:00", title: "CVE-2018-2694", }, { cve: "CVE-2018-2698", notes: [ { category: "description", text: "Es existieren mehrere Schwachstellen in Oracle Secure Global Desktop und Oracle VM Virtual Box. Durch Ausnutzung dieser Schwachstellen kann ein Angreifer die Verfügbarkeit, Vertraulichkeit und Integrität gefährden. Für die Ausnutzung einiger dieser Schwachstellen ist keine Authentifizierung und keine Benutzerinteraktion notwendig. Oracle veröffentlicht keine weiteren Details zu diesen Schwachstellen (außer der Information in der Risiko Matrix im Oracle Advisory zum Critical Patch Update, siehe Link unten in diesem Advisory). Aufgrund der knappen Informationslage erfolgt die Bewertung der Schadenshöhe ausschließlich auf Basis der CVSS Impact Matrix. Der Maximalwert für diese Produkte ist \"High\" für \"Availability\", \"Confidentiality\" und \"Integrity\" und bewirkt damit eine \"hohe\" Schadenshöhe.", }, ], product_status: { known_affected: [ "T011009", "T011676", "67646", "T011675", "T004914", ], }, release_date: "2018-01-16T23:00:00.000+00:00", title: "CVE-2018-2698", }, ], }
cve-2018-2698
Vulnerability from cvelistv5
Published
2018-01-18 02:00
Modified
2024-10-03 20:31
Severity ?
EPSS score ?
Summary
Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are Prior to 5.1.32 and Prior to 5.2.6. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.0 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/102688 | vdb-entry, x_refsource_BID | |
| http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html | x_refsource_CONFIRM | |
| http://www.securitytracker.com/id/1040202 | vdb-entry, x_refsource_SECTRACK | |
| https://www.exploit-db.com/exploits/43878/ | exploit, x_refsource_EXPLOIT-DB |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Oracle Corporation | VM VirtualBox |
Version: unspecified < 5.1.32 Version: unspecified < 5.2.6 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T04:29:44.438Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "102688", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/102688", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", }, { name: "1040202", tags: [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred", ], url: "http://www.securitytracker.com/id/1040202", }, { name: "43878", tags: [ "exploit", "x_refsource_EXPLOIT-DB", "x_transferred", ], url: "https://www.exploit-db.com/exploits/43878/", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2018-2698", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2024-10-03T19:20:31.803678Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-03T20:31:25.383Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "VM VirtualBox", vendor: "Oracle Corporation", versions: [ { lessThan: "5.1.32", status: "affected", version: "unspecified", versionType: "custom", }, { lessThan: "5.2.6", status: "affected", version: "unspecified", versionType: "custom", }, ], }, ], datePublic: "2018-01-03T00:00:00", descriptions: [ { lang: "en", value: "Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are Prior to 5.1.32 and Prior to 5.2.6. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.0 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).", }, ], problemTypes: [ { descriptions: [ { description: "Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox.", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2018-01-26T10:57:01", orgId: "43595867-4340-4103-b7a2-9a5208d29a85", shortName: "oracle", }, references: [ { name: "102688", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/102688", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", }, { name: "1040202", tags: [ "vdb-entry", "x_refsource_SECTRACK", ], url: "http://www.securitytracker.com/id/1040202", }, { name: "43878", tags: [ "exploit", "x_refsource_EXPLOIT-DB", ], url: "https://www.exploit-db.com/exploits/43878/", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "secalert_us@oracle.com", ID: "CVE-2018-2698", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "VM VirtualBox", version: { version_data: [ { version_affected: "<", version_value: "5.1.32", }, { version_affected: "<", version_value: "5.2.6", }, ], }, }, ], }, vendor_name: "Oracle Corporation", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are Prior to 5.1.32 and Prior to 5.2.6. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.0 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox.", }, ], }, ], }, references: { reference_data: [ { name: "102688", refsource: "BID", url: "http://www.securityfocus.com/bid/102688", }, { name: "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", refsource: "CONFIRM", url: "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", }, { name: "1040202", refsource: "SECTRACK", url: "http://www.securitytracker.com/id/1040202", }, { name: "43878", refsource: "EXPLOIT-DB", url: "https://www.exploit-db.com/exploits/43878/", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "43595867-4340-4103-b7a2-9a5208d29a85", assignerShortName: "oracle", cveId: "CVE-2018-2698", datePublished: "2018-01-18T02:00:00", dateReserved: "2017-12-15T00:00:00", dateUpdated: "2024-10-03T20:31:25.383Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2018-2686
Vulnerability from cvelistv5
Published
2018-01-18 02:00
Modified
2024-10-03 20:32
Severity ?
EPSS score ?
Summary
Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are Prior to 5.1.32 and Prior to 5.2.6. Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.0 Base Score 8.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/102690 | vdb-entry, x_refsource_BID | |
| http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html | x_refsource_CONFIRM | |
| http://www.securitytracker.com/id/1040202 | vdb-entry, x_refsource_SECTRACK |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Oracle Corporation | VM VirtualBox |
Version: unspecified < 5.1.32 Version: unspecified < 5.2.6 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T04:29:42.971Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "102690", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/102690", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", }, { name: "1040202", tags: [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred", ], url: "http://www.securitytracker.com/id/1040202", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2018-2686", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2024-10-03T19:19:55.927506Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-03T20:32:51.152Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "VM VirtualBox", vendor: "Oracle Corporation", versions: [ { lessThan: "5.1.32", status: "affected", version: "unspecified", versionType: "custom", }, { lessThan: "5.2.6", status: "affected", version: "unspecified", versionType: "custom", }, ], }, ], datePublic: "2018-01-03T00:00:00", descriptions: [ { lang: "en", value: "Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are Prior to 5.1.32 and Prior to 5.2.6. Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.0 Base Score 8.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).", }, ], problemTypes: [ { descriptions: [ { description: "Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox.", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2018-01-18T10:57:01", orgId: "43595867-4340-4103-b7a2-9a5208d29a85", shortName: "oracle", }, references: [ { name: "102690", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/102690", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", }, { name: "1040202", tags: [ "vdb-entry", "x_refsource_SECTRACK", ], url: "http://www.securitytracker.com/id/1040202", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "secalert_us@oracle.com", ID: "CVE-2018-2686", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "VM VirtualBox", version: { version_data: [ { version_affected: "<", version_value: "5.1.32", }, { version_affected: "<", version_value: "5.2.6", }, ], }, }, ], }, vendor_name: "Oracle Corporation", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are Prior to 5.1.32 and Prior to 5.2.6. Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.0 Base Score 8.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox.", }, ], }, ], }, references: { reference_data: [ { name: "102690", refsource: "BID", url: "http://www.securityfocus.com/bid/102690", }, { name: "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", refsource: "CONFIRM", url: "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", }, { name: "1040202", refsource: "SECTRACK", url: "http://www.securitytracker.com/id/1040202", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "43595867-4340-4103-b7a2-9a5208d29a85", assignerShortName: "oracle", cveId: "CVE-2018-2686", datePublished: "2018-01-18T02:00:00", dateReserved: "2017-12-15T00:00:00", dateUpdated: "2024-10-03T20:32:51.152Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2017-5715
Vulnerability from cvelistv5
Published
2018-01-04 13:00
Modified
2024-09-17 03:28
Severity ?
EPSS score ?
Summary
Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Intel Corporation | Microprocessors with Speculative Execution |
Version: All |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T15:11:48.456Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://nvidia.custhelp.com/app/answers/detail/a_id/4609", }, { name: "USN-3560-1", tags: [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred", ], url: "https://usn.ubuntu.com/3560-1/", }, { name: "[debian-lts-announce] 20180714 [SECURITY] [DLA 1422-1] linux security update", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.debian.org/debian-lts-announce/2018/07/msg00015.html", }, { name: "DSA-4187", tags: [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred", ], url: "https://www.debian.org/security/2018/dsa-4187", }, { name: "USN-3542-2", tags: [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred", ], url: "https://usn.ubuntu.com/3542-2/", }, { name: "GLSA-201810-06", tags: [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred", ], url: "https://security.gentoo.org/glsa/201810-06", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", }, { name: "USN-3540-2", tags: [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred", ], url: "https://usn.ubuntu.com/3540-2/", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://access.redhat.com/security/vulnerabilities/speculativeexecution", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002", }, { name: "[debian-lts-announce] 20180906 [SECURITY] [DLA 1497-1] qemu security update", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.debian.org/debian-lts-announce/2018/09/msg00007.html", }, { name: "USN-3597-1", tags: [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred", ], url: "https://usn.ubuntu.com/3597-1/", }, { name: "[debian-lts-announce] 20180715 [SECURITY] [DLA 1422-2] linux security update", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.debian.org/debian-lts-announce/2018/07/msg00016.html", }, { name: "SUSE-SU-2018:0012", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00008.html", }, { name: "SUSE-SU-2018:0011", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00007.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://nvidia.custhelp.com/app/answers/detail/a_id/4611", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://security.googleblog.com/2018/01/todays-cpu-vulnerability-what-you-need.html", }, { name: "DSA-4213", tags: [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred", ], url: "https://www.debian.org/security/2018/dsa-4213", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://cert.vde.com/en-us/advisories/vde-2018-002", }, { name: "DSA-4120", tags: [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred", ], url: "https://www.debian.org/security/2018/dsa-4120", }, { name: "openSUSE-SU-2018:0013", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00009.html", }, { name: "USN-3580-1", tags: [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred", ], url: "https://usn.ubuntu.com/3580-1/", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://support.f5.com/csp/article/K91229003", }, { name: "USN-3531-3", tags: [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred", ], url: "https://usn.ubuntu.com/3531-3/", }, { name: "USN-3620-2", tags: [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred", ], url: "https://usn.ubuntu.com/3620-2/", }, { name: "openSUSE-SU-2018:0022", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00014.html", }, { name: "USN-3582-1", tags: [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred", ], url: "https://usn.ubuntu.com/3582-1/", }, { name: "DSA-4188", tags: [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred", ], url: "https://www.debian.org/security/2018/dsa-4188", }, { name: "RHSA-2018:0292", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2018:0292", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://xenbits.xen.org/xsa/advisory-254.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20180104-0001/", }, { name: "SUSE-SU-2018:0019", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00012.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://www.synology.com/support/security/Synology_SA_18_01", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "http://packetstormsecurity.com/files/145645/Spectre-Information-Disclosure-Proof-Of-Concept.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2018-001.txt", }, { name: "102376", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/102376", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability", }, { name: "USN-3594-1", tags: [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred", ], url: "https://usn.ubuntu.com/3594-1/", }, { name: "VU#584653", tags: [ "third-party-advisory", "x_refsource_CERT-VN", "x_transferred", ], url: "http://www.kb.cert.org/vuls/id/584653", }, { name: "VU#180049", tags: [ "third-party-advisory", "x_refsource_CERT-VN", "x_transferred", ], url: "https://www.kb.cert.org/vuls/id/180049", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://cert.vde.com/en-us/advisories/vde-2018-003", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://help.ecostruxureit.com/display/public/UADCO8x/StruxureWare+Data+Center+Operation+Software+Vulnerability+Fixes", }, { name: "SUSE-SU-2018:0009", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00005.html", }, { name: "USN-3690-1", tags: [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred", ], url: "https://usn.ubuntu.com/3690-1/", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03805en_us", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://www.mitel.com/en-ca/support/security-advisories/mitel-product-security-advisory-18-0001", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03871en_us", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://www.vmware.com/us/security/advisories/VMSA-2018-0004.html", }, { name: "USN-3549-1", tags: [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred", ], url: "https://usn.ubuntu.com/3549-1/", }, { name: "SUSE-SU-2018:0007", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00003.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://www.suse.com/c/suse-addresses-meltdown-spectre-vulnerabilities/", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://support.citrix.com/article/CTX231399", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://spectreattack.com/", }, { name: "USN-3531-1", tags: [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred", ], url: "https://usn.ubuntu.com/3531-1/", }, { name: "FreeBSD-SA-18:03", tags: [ "vendor-advisory", "x_refsource_FREEBSD", "x_transferred", ], url: "https://security.FreeBSD.org/advisories/FreeBSD-SA-18:03.speculative_execution.asc", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://aws.amazon.com/de/security/security-bulletins/AWS-2018-013/", }, { name: "SUSE-SU-2018:0006", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00002.html", }, { name: "USN-3581-1", tags: [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred", ], url: "https://usn.ubuntu.com/3581-1/", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/", }, { name: "1040071", tags: [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred", ], url: "http://www.securitytracker.com/id/1040071", }, { name: "[debian-lts-announce] 20180916 [SECURITY] [DLA 1506-1] intel-microcode security update", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.debian.org/debian-lts-announce/2018/09/msg00017.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr", }, { name: "USN-3597-2", tags: [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred", ], url: "https://usn.ubuntu.com/3597-2/", }, { name: "USN-3581-2", tags: [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred", ], url: "https://usn.ubuntu.com/3581-2/", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://nvidia.custhelp.com/app/answers/detail/a_id/4614", }, { name: "SUSE-SU-2018:0010", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00006.html", }, { name: "[debian-lts-announce] 20180502 [SECURITY] [DLA 1369-1] linux security update", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.debian.org/debian-lts-announce/2018/05/msg00000.html", }, { name: "20180104 CPU Side-Channel Information Disclosure Vulnerabilities", tags: [ "vendor-advisory", "x_refsource_CISCO", "x_transferred", ], url: "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180104-cpusidechannel", }, { name: "USN-3516-1", tags: [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred", ], url: "https://usn.ubuntu.com/usn/usn-3516-1/", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://www.vmware.com/us/security/advisories/VMSA-2018-0002.html", }, { name: "43427", tags: [ "exploit", "x_refsource_EXPLOIT-DB", "x_transferred", ], url: "https://www.exploit-db.com/exploits/43427/", }, { name: "SUSE-SU-2018:0020", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00013.html", }, { name: "USN-3541-2", tags: [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred", ], url: "https://usn.ubuntu.com/3541-2/", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://support.lenovo.com/us/en/solutions/LEN-18282", }, { name: "USN-3777-3", tags: [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred", ], url: "https://usn.ubuntu.com/3777-3/", }, { name: "openSUSE-SU-2018:0023", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00016.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://www.vmware.com/security/advisories/VMSA-2018-0007.html", }, { name: "SUSE-SU-2018:0008", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00004.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://nvidia.custhelp.com/app/answers/detail/a_id/4613", }, { name: "USN-3561-1", tags: [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred", ], url: "https://usn.ubuntu.com/3561-1/", }, { name: "USN-3582-2", tags: [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred", ], url: "https://usn.ubuntu.com/3582-2/", }, { name: "20190624 [SECURITY] [DSA 4469-1] libvirt security update", tags: [ "mailing-list", "x_refsource_BUGTRAQ", "x_transferred", ], url: "https://seclists.org/bugtraq/2019/Jun/36", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2019-003.txt", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://cert-portal.siemens.com/productcert/pdf/ssa-608355.pdf", }, { name: "FreeBSD-SA-19:26", tags: [ "vendor-advisory", "x_refsource_FREEBSD", "x_transferred", ], url: "https://security.FreeBSD.org/advisories/FreeBSD-SA-19:26.mcu.asc", }, { name: "20191112 FreeBSD Security Advisory FreeBSD-SA-19:26.mcu", tags: [ "mailing-list", "x_refsource_BUGTRAQ", "x_transferred", ], url: "https://seclists.org/bugtraq/2019/Nov/16", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "http://packetstormsecurity.com/files/155281/FreeBSD-Security-Advisory-FreeBSD-SA-19-26.mcu.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://security.paloaltonetworks.com/CVE-2017-5715", }, { name: "[debian-lts-announce] 20200320 [SECURITY] [DLA 2148-1] amd64-microcode security update", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.debian.org/debian-lts-announce/2020/03/msg00025.html", }, { name: "[debian-lts-announce] 20210816 [SECURITY] [DLA 2743-1] amd64-microcode security update", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.debian.org/debian-lts-announce/2021/08/msg00019.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Microprocessors with Speculative Execution", vendor: "Intel Corporation", versions: [ { status: "affected", version: "All", }, ], }, ], datePublic: "2018-01-03T00:00:00", descriptions: [ { lang: "en", value: "Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.", }, ], problemTypes: [ { descriptions: [ { description: "Information Disclosure", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2021-08-16T08:06:27", orgId: "6dda929c-bb53-4a77-a76d-48e79601a1ce", shortName: "intel", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "http://nvidia.custhelp.com/app/answers/detail/a_id/4609", }, { name: "USN-3560-1", tags: [ "vendor-advisory", "x_refsource_UBUNTU", ], url: "https://usn.ubuntu.com/3560-1/", }, { name: "[debian-lts-announce] 20180714 [SECURITY] [DLA 1422-1] linux security update", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.debian.org/debian-lts-announce/2018/07/msg00015.html", }, { name: "DSA-4187", tags: [ "vendor-advisory", "x_refsource_DEBIAN", ], url: "https://www.debian.org/security/2018/dsa-4187", }, { name: "USN-3542-2", tags: [ "vendor-advisory", "x_refsource_UBUNTU", ], url: "https://usn.ubuntu.com/3542-2/", }, { name: "GLSA-201810-06", tags: [ "vendor-advisory", "x_refsource_GENTOO", ], url: "https://security.gentoo.org/glsa/201810-06", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", }, { name: "USN-3540-2", tags: [ "vendor-advisory", "x_refsource_UBUNTU", ], url: "https://usn.ubuntu.com/3540-2/", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://access.redhat.com/security/vulnerabilities/speculativeexecution", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002", }, { name: "[debian-lts-announce] 20180906 [SECURITY] [DLA 1497-1] qemu security update", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.debian.org/debian-lts-announce/2018/09/msg00007.html", }, { name: "USN-3597-1", tags: [ "vendor-advisory", "x_refsource_UBUNTU", ], url: "https://usn.ubuntu.com/3597-1/", }, { name: "[debian-lts-announce] 20180715 [SECURITY] [DLA 1422-2] linux security update", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.debian.org/debian-lts-announce/2018/07/msg00016.html", }, { name: "SUSE-SU-2018:0012", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00008.html", }, { name: "SUSE-SU-2018:0011", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00007.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://nvidia.custhelp.com/app/answers/detail/a_id/4611", }, { tags: [ "x_refsource_MISC", ], url: "https://security.googleblog.com/2018/01/todays-cpu-vulnerability-what-you-need.html", }, { name: "DSA-4213", tags: [ "vendor-advisory", "x_refsource_DEBIAN", ], url: "https://www.debian.org/security/2018/dsa-4213", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://cert.vde.com/en-us/advisories/vde-2018-002", }, { name: "DSA-4120", tags: [ "vendor-advisory", "x_refsource_DEBIAN", ], url: "https://www.debian.org/security/2018/dsa-4120", }, { name: "openSUSE-SU-2018:0013", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00009.html", }, { name: "USN-3580-1", tags: [ "vendor-advisory", "x_refsource_UBUNTU", ], url: "https://usn.ubuntu.com/3580-1/", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://support.f5.com/csp/article/K91229003", }, { name: "USN-3531-3", tags: [ "vendor-advisory", "x_refsource_UBUNTU", ], url: "https://usn.ubuntu.com/3531-3/", }, { name: "USN-3620-2", tags: [ "vendor-advisory", "x_refsource_UBUNTU", ], url: "https://usn.ubuntu.com/3620-2/", }, { name: "openSUSE-SU-2018:0022", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00014.html", }, { name: "USN-3582-1", tags: [ "vendor-advisory", "x_refsource_UBUNTU", ], url: "https://usn.ubuntu.com/3582-1/", }, { name: "DSA-4188", tags: [ "vendor-advisory", "x_refsource_DEBIAN", ], url: "https://www.debian.org/security/2018/dsa-4188", }, { name: "RHSA-2018:0292", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2018:0292", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://xenbits.xen.org/xsa/advisory-254.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://security.netapp.com/advisory/ntap-20180104-0001/", }, { name: "SUSE-SU-2018:0019", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00012.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://www.synology.com/support/security/Synology_SA_18_01", }, { tags: [ "x_refsource_MISC", ], url: "http://packetstormsecurity.com/files/145645/Spectre-Information-Disclosure-Proof-Of-Concept.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2018-001.txt", }, { name: "102376", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/102376", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability", }, { name: "USN-3594-1", tags: [ "vendor-advisory", "x_refsource_UBUNTU", ], url: "https://usn.ubuntu.com/3594-1/", }, { name: "VU#584653", tags: [ "third-party-advisory", "x_refsource_CERT-VN", ], url: "http://www.kb.cert.org/vuls/id/584653", }, { name: "VU#180049", tags: [ "third-party-advisory", "x_refsource_CERT-VN", ], url: "https://www.kb.cert.org/vuls/id/180049", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://cert.vde.com/en-us/advisories/vde-2018-003", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://help.ecostruxureit.com/display/public/UADCO8x/StruxureWare+Data+Center+Operation+Software+Vulnerability+Fixes", }, { name: "SUSE-SU-2018:0009", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00005.html", }, { name: "USN-3690-1", tags: [ "vendor-advisory", "x_refsource_UBUNTU", ], url: "https://usn.ubuntu.com/3690-1/", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03805en_us", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://www.mitel.com/en-ca/support/security-advisories/mitel-product-security-advisory-18-0001", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03871en_us", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://www.vmware.com/us/security/advisories/VMSA-2018-0004.html", }, { name: "USN-3549-1", tags: [ "vendor-advisory", "x_refsource_UBUNTU", ], url: "https://usn.ubuntu.com/3549-1/", }, { name: "SUSE-SU-2018:0007", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00003.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://www.suse.com/c/suse-addresses-meltdown-spectre-vulnerabilities/", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://support.citrix.com/article/CTX231399", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", }, { tags: [ "x_refsource_MISC", ], url: "https://spectreattack.com/", }, { name: "USN-3531-1", tags: [ "vendor-advisory", "x_refsource_UBUNTU", ], url: "https://usn.ubuntu.com/3531-1/", }, { name: "FreeBSD-SA-18:03", tags: [ "vendor-advisory", "x_refsource_FREEBSD", ], url: "https://security.FreeBSD.org/advisories/FreeBSD-SA-18:03.speculative_execution.asc", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://aws.amazon.com/de/security/security-bulletins/AWS-2018-013/", }, { name: "SUSE-SU-2018:0006", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00002.html", }, { name: "USN-3581-1", tags: [ "vendor-advisory", "x_refsource_UBUNTU", ], url: "https://usn.ubuntu.com/3581-1/", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/", }, { name: "1040071", tags: [ "vdb-entry", "x_refsource_SECTRACK", ], url: "http://www.securitytracker.com/id/1040071", }, { name: "[debian-lts-announce] 20180916 [SECURITY] [DLA 1506-1] intel-microcode security update", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.debian.org/debian-lts-announce/2018/09/msg00017.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr", }, { name: "USN-3597-2", tags: [ "vendor-advisory", "x_refsource_UBUNTU", ], url: "https://usn.ubuntu.com/3597-2/", }, { name: "USN-3581-2", tags: [ "vendor-advisory", "x_refsource_UBUNTU", ], url: "https://usn.ubuntu.com/3581-2/", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://nvidia.custhelp.com/app/answers/detail/a_id/4614", }, { name: "SUSE-SU-2018:0010", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00006.html", }, { name: "[debian-lts-announce] 20180502 [SECURITY] [DLA 1369-1] linux security update", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.debian.org/debian-lts-announce/2018/05/msg00000.html", }, { name: "20180104 CPU Side-Channel Information Disclosure Vulnerabilities", tags: [ "vendor-advisory", "x_refsource_CISCO", ], url: "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180104-cpusidechannel", }, { name: "USN-3516-1", tags: [ "vendor-advisory", "x_refsource_UBUNTU", ], url: "https://usn.ubuntu.com/usn/usn-3516-1/", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://www.vmware.com/us/security/advisories/VMSA-2018-0002.html", }, { name: "43427", tags: [ "exploit", "x_refsource_EXPLOIT-DB", ], url: "https://www.exploit-db.com/exploits/43427/", }, { name: "SUSE-SU-2018:0020", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00013.html", }, { name: "USN-3541-2", tags: [ "vendor-advisory", "x_refsource_UBUNTU", ], url: "https://usn.ubuntu.com/3541-2/", }, { tags: [ "x_refsource_MISC", ], url: "https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://support.lenovo.com/us/en/solutions/LEN-18282", }, { name: "USN-3777-3", tags: [ "vendor-advisory", "x_refsource_UBUNTU", ], url: "https://usn.ubuntu.com/3777-3/", }, { name: "openSUSE-SU-2018:0023", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00016.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://www.vmware.com/security/advisories/VMSA-2018-0007.html", }, { name: "SUSE-SU-2018:0008", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00004.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://nvidia.custhelp.com/app/answers/detail/a_id/4613", }, { name: "USN-3561-1", tags: [ "vendor-advisory", "x_refsource_UBUNTU", ], url: "https://usn.ubuntu.com/3561-1/", }, { name: "USN-3582-2", tags: [ "vendor-advisory", "x_refsource_UBUNTU", ], url: "https://usn.ubuntu.com/3582-2/", }, { name: "20190624 [SECURITY] [DSA 4469-1] libvirt security update", tags: [ "mailing-list", "x_refsource_BUGTRAQ", ], url: "https://seclists.org/bugtraq/2019/Jun/36", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2019-003.txt", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://cert-portal.siemens.com/productcert/pdf/ssa-608355.pdf", }, { name: "FreeBSD-SA-19:26", tags: [ "vendor-advisory", "x_refsource_FREEBSD", ], url: "https://security.FreeBSD.org/advisories/FreeBSD-SA-19:26.mcu.asc", }, { name: "20191112 FreeBSD Security Advisory FreeBSD-SA-19:26.mcu", tags: [ "mailing-list", "x_refsource_BUGTRAQ", ], url: "https://seclists.org/bugtraq/2019/Nov/16", }, { tags: [ "x_refsource_MISC", ], url: "http://packetstormsecurity.com/files/155281/FreeBSD-Security-Advisory-FreeBSD-SA-19-26.mcu.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://security.paloaltonetworks.com/CVE-2017-5715", }, { name: "[debian-lts-announce] 20200320 [SECURITY] [DLA 2148-1] amd64-microcode security update", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.debian.org/debian-lts-announce/2020/03/msg00025.html", }, { name: "[debian-lts-announce] 20210816 [SECURITY] [DLA 2743-1] amd64-microcode security update", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.debian.org/debian-lts-announce/2021/08/msg00019.html", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "secure@intel.com", DATE_PUBLIC: "2018-01-03T00:00:00", ID: "CVE-2017-5715", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Microprocessors with Speculative Execution", version: { version_data: [ { version_value: "All", }, ], }, }, ], }, vendor_name: "Intel Corporation", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Information Disclosure", }, ], }, ], }, references: { reference_data: [ { name: "http://nvidia.custhelp.com/app/answers/detail/a_id/4609", refsource: "CONFIRM", url: "http://nvidia.custhelp.com/app/answers/detail/a_id/4609", }, { name: "USN-3560-1", refsource: "UBUNTU", url: "https://usn.ubuntu.com/3560-1/", }, { name: "[debian-lts-announce] 20180714 [SECURITY] [DLA 1422-1] linux security update", refsource: "MLIST", url: "https://lists.debian.org/debian-lts-announce/2018/07/msg00015.html", }, { name: "DSA-4187", refsource: "DEBIAN", url: "https://www.debian.org/security/2018/dsa-4187", }, { name: "USN-3542-2", refsource: "UBUNTU", url: "https://usn.ubuntu.com/3542-2/", }, { name: "GLSA-201810-06", refsource: "GENTOO", url: "https://security.gentoo.org/glsa/201810-06", }, { name: "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", refsource: "CONFIRM", url: "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", }, { name: "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", refsource: "CONFIRM", url: "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", }, { name: "USN-3540-2", refsource: "UBUNTU", url: "https://usn.ubuntu.com/3540-2/", }, { name: "https://access.redhat.com/security/vulnerabilities/speculativeexecution", refsource: "CONFIRM", url: "https://access.redhat.com/security/vulnerabilities/speculativeexecution", }, { name: "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002", refsource: "CONFIRM", url: "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002", }, { name: "[debian-lts-announce] 20180906 [SECURITY] [DLA 1497-1] qemu security update", refsource: "MLIST", url: "https://lists.debian.org/debian-lts-announce/2018/09/msg00007.html", }, { name: "USN-3597-1", refsource: "UBUNTU", url: "https://usn.ubuntu.com/3597-1/", }, { name: "[debian-lts-announce] 20180715 [SECURITY] [DLA 1422-2] linux security update", refsource: "MLIST", url: "https://lists.debian.org/debian-lts-announce/2018/07/msg00016.html", }, { name: "SUSE-SU-2018:0012", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00008.html", }, { name: "SUSE-SU-2018:0011", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00007.html", }, { name: "http://nvidia.custhelp.com/app/answers/detail/a_id/4611", refsource: "CONFIRM", url: "http://nvidia.custhelp.com/app/answers/detail/a_id/4611", }, { name: "https://security.googleblog.com/2018/01/todays-cpu-vulnerability-what-you-need.html", refsource: "MISC", url: "https://security.googleblog.com/2018/01/todays-cpu-vulnerability-what-you-need.html", }, { name: "DSA-4213", refsource: "DEBIAN", url: "https://www.debian.org/security/2018/dsa-4213", }, { name: "https://cert.vde.com/en-us/advisories/vde-2018-002", refsource: "CONFIRM", url: "https://cert.vde.com/en-us/advisories/vde-2018-002", }, { name: "DSA-4120", refsource: "DEBIAN", url: "https://www.debian.org/security/2018/dsa-4120", }, { name: "openSUSE-SU-2018:0013", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00009.html", }, { name: "USN-3580-1", refsource: "UBUNTU", url: "https://usn.ubuntu.com/3580-1/", }, { name: "https://support.f5.com/csp/article/K91229003", refsource: "CONFIRM", url: "https://support.f5.com/csp/article/K91229003", }, { name: "USN-3531-3", refsource: "UBUNTU", url: "https://usn.ubuntu.com/3531-3/", }, { name: "USN-3620-2", refsource: "UBUNTU", url: "https://usn.ubuntu.com/3620-2/", }, { name: "openSUSE-SU-2018:0022", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00014.html", }, { name: "USN-3582-1", refsource: "UBUNTU", url: "https://usn.ubuntu.com/3582-1/", }, { name: "DSA-4188", refsource: "DEBIAN", url: "https://www.debian.org/security/2018/dsa-4188", }, { name: "RHSA-2018:0292", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2018:0292", }, { name: "http://xenbits.xen.org/xsa/advisory-254.html", refsource: "CONFIRM", url: "http://xenbits.xen.org/xsa/advisory-254.html", }, { name: "https://security.netapp.com/advisory/ntap-20180104-0001/", refsource: "CONFIRM", url: "https://security.netapp.com/advisory/ntap-20180104-0001/", }, { name: "SUSE-SU-2018:0019", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00012.html", }, { name: "https://www.synology.com/support/security/Synology_SA_18_01", refsource: "CONFIRM", url: "https://www.synology.com/support/security/Synology_SA_18_01", }, { name: "http://packetstormsecurity.com/files/145645/Spectre-Information-Disclosure-Proof-Of-Concept.html", refsource: "MISC", url: "http://packetstormsecurity.com/files/145645/Spectre-Information-Disclosure-Proof-Of-Concept.html", }, { name: "http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2018-001.txt", refsource: "CONFIRM", url: "http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2018-001.txt", }, { name: "102376", refsource: "BID", url: "http://www.securityfocus.com/bid/102376", }, { name: "https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability", refsource: "CONFIRM", url: "https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability", }, { name: "USN-3594-1", refsource: "UBUNTU", url: "https://usn.ubuntu.com/3594-1/", }, { name: "VU#584653", refsource: "CERT-VN", url: "http://www.kb.cert.org/vuls/id/584653", }, { name: "VU#180049", refsource: "CERT-VN", url: "https://www.kb.cert.org/vuls/id/180049", }, { name: "https://cert.vde.com/en-us/advisories/vde-2018-003", refsource: "CONFIRM", url: "https://cert.vde.com/en-us/advisories/vde-2018-003", }, { name: "https://help.ecostruxureit.com/display/public/UADCO8x/StruxureWare+Data+Center+Operation+Software+Vulnerability+Fixes", refsource: "CONFIRM", url: "https://help.ecostruxureit.com/display/public/UADCO8x/StruxureWare+Data+Center+Operation+Software+Vulnerability+Fixes", }, { name: "SUSE-SU-2018:0009", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00005.html", }, { name: "USN-3690-1", refsource: "UBUNTU", url: "https://usn.ubuntu.com/3690-1/", }, { name: "https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03805en_us", refsource: "CONFIRM", url: "https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03805en_us", }, { name: "https://www.mitel.com/en-ca/support/security-advisories/mitel-product-security-advisory-18-0001", refsource: "CONFIRM", url: "https://www.mitel.com/en-ca/support/security-advisories/mitel-product-security-advisory-18-0001", }, { name: "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03871en_us", refsource: "CONFIRM", url: "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03871en_us", }, { name: "https://www.vmware.com/us/security/advisories/VMSA-2018-0004.html", refsource: "CONFIRM", url: "https://www.vmware.com/us/security/advisories/VMSA-2018-0004.html", }, { name: "USN-3549-1", refsource: "UBUNTU", url: "https://usn.ubuntu.com/3549-1/", }, { name: "SUSE-SU-2018:0007", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00003.html", }, { name: "https://www.suse.com/c/suse-addresses-meltdown-spectre-vulnerabilities/", refsource: "CONFIRM", url: "https://www.suse.com/c/suse-addresses-meltdown-spectre-vulnerabilities/", }, { name: "https://support.citrix.com/article/CTX231399", refsource: "CONFIRM", url: "https://support.citrix.com/article/CTX231399", }, { name: "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", refsource: "CONFIRM", url: "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", }, { name: "https://spectreattack.com/", refsource: "MISC", url: "https://spectreattack.com/", }, { name: "USN-3531-1", refsource: "UBUNTU", url: "https://usn.ubuntu.com/3531-1/", }, { name: "FreeBSD-SA-18:03", refsource: "FREEBSD", url: "https://security.FreeBSD.org/advisories/FreeBSD-SA-18:03.speculative_execution.asc", }, { name: "https://aws.amazon.com/de/security/security-bulletins/AWS-2018-013/", refsource: "CONFIRM", url: "https://aws.amazon.com/de/security/security-bulletins/AWS-2018-013/", }, { name: "SUSE-SU-2018:0006", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00002.html", }, { name: "USN-3581-1", refsource: "UBUNTU", url: "https://usn.ubuntu.com/3581-1/", }, { name: "https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/", refsource: "CONFIRM", url: "https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/", }, { name: "1040071", refsource: "SECTRACK", url: "http://www.securitytracker.com/id/1040071", }, { name: "[debian-lts-announce] 20180916 [SECURITY] [DLA 1506-1] intel-microcode security update", refsource: "MLIST", url: "https://lists.debian.org/debian-lts-announce/2018/09/msg00017.html", }, { name: "https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr", refsource: "CONFIRM", url: "https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr", }, { name: "USN-3597-2", refsource: "UBUNTU", url: "https://usn.ubuntu.com/3597-2/", }, { name: "USN-3581-2", refsource: "UBUNTU", url: "https://usn.ubuntu.com/3581-2/", }, { name: "http://nvidia.custhelp.com/app/answers/detail/a_id/4614", refsource: "CONFIRM", url: "http://nvidia.custhelp.com/app/answers/detail/a_id/4614", }, { name: "SUSE-SU-2018:0010", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00006.html", }, { name: "[debian-lts-announce] 20180502 [SECURITY] [DLA 1369-1] linux security update", refsource: "MLIST", url: "https://lists.debian.org/debian-lts-announce/2018/05/msg00000.html", }, { name: "20180104 CPU Side-Channel Information Disclosure Vulnerabilities", refsource: "CISCO", url: "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180104-cpusidechannel", }, { name: "USN-3516-1", refsource: "UBUNTU", url: "https://usn.ubuntu.com/usn/usn-3516-1/", }, { name: "https://www.vmware.com/us/security/advisories/VMSA-2018-0002.html", refsource: "CONFIRM", url: "https://www.vmware.com/us/security/advisories/VMSA-2018-0002.html", }, { name: "43427", refsource: "EXPLOIT-DB", url: "https://www.exploit-db.com/exploits/43427/", }, { name: "SUSE-SU-2018:0020", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00013.html", }, { name: "USN-3541-2", refsource: "UBUNTU", url: "https://usn.ubuntu.com/3541-2/", }, { name: "https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html", refsource: "MISC", url: "https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html", }, { name: "https://support.lenovo.com/us/en/solutions/LEN-18282", refsource: "CONFIRM", url: "https://support.lenovo.com/us/en/solutions/LEN-18282", }, { name: "USN-3777-3", refsource: "UBUNTU", url: "https://usn.ubuntu.com/3777-3/", }, { name: "openSUSE-SU-2018:0023", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00016.html", }, { name: "https://www.vmware.com/security/advisories/VMSA-2018-0007.html", refsource: "CONFIRM", url: "https://www.vmware.com/security/advisories/VMSA-2018-0007.html", }, { name: "SUSE-SU-2018:0008", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-security-announce/2018-01/msg00004.html", }, { name: "http://nvidia.custhelp.com/app/answers/detail/a_id/4613", refsource: "CONFIRM", url: "http://nvidia.custhelp.com/app/answers/detail/a_id/4613", }, { name: "USN-3561-1", refsource: "UBUNTU", url: "https://usn.ubuntu.com/3561-1/", }, { name: "USN-3582-2", refsource: "UBUNTU", url: "https://usn.ubuntu.com/3582-2/", }, { name: "20190624 [SECURITY] [DSA 4469-1] libvirt security update", refsource: "BUGTRAQ", url: "https://seclists.org/bugtraq/2019/Jun/36", }, { name: "http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2019-003.txt", refsource: "CONFIRM", url: "http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2019-003.txt", }, { name: "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", refsource: "MISC", url: "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", }, { name: "https://cert-portal.siemens.com/productcert/pdf/ssa-608355.pdf", refsource: "CONFIRM", url: "https://cert-portal.siemens.com/productcert/pdf/ssa-608355.pdf", }, { name: "FreeBSD-SA-19:26", refsource: "FREEBSD", url: "https://security.FreeBSD.org/advisories/FreeBSD-SA-19:26.mcu.asc", }, { name: "20191112 FreeBSD Security Advisory FreeBSD-SA-19:26.mcu", refsource: "BUGTRAQ", url: "https://seclists.org/bugtraq/2019/Nov/16", }, { name: "http://packetstormsecurity.com/files/155281/FreeBSD-Security-Advisory-FreeBSD-SA-19-26.mcu.html", refsource: "MISC", url: "http://packetstormsecurity.com/files/155281/FreeBSD-Security-Advisory-FreeBSD-SA-19-26.mcu.html", }, { name: "https://security.paloaltonetworks.com/CVE-2017-5715", refsource: "CONFIRM", url: "https://security.paloaltonetworks.com/CVE-2017-5715", }, { name: "[debian-lts-announce] 20200320 [SECURITY] [DLA 2148-1] amd64-microcode security update", refsource: "MLIST", url: "https://lists.debian.org/debian-lts-announce/2020/03/msg00025.html", }, { name: "[debian-lts-announce] 20210816 [SECURITY] [DLA 2743-1] amd64-microcode security update", refsource: "MLIST", url: "https://lists.debian.org/debian-lts-announce/2021/08/msg00019.html", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "6dda929c-bb53-4a77-a76d-48e79601a1ce", assignerShortName: "intel", cveId: "CVE-2017-5715", datePublished: "2018-01-04T13:00:00Z", dateReserved: "2017-02-01T00:00:00", dateUpdated: "2024-09-17T03:28:57.728Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2018-2688
Vulnerability from cvelistv5
Published
2018-01-18 02:00
Modified
2024-10-03 20:32
Severity ?
EPSS score ?
Summary
Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are Prior to 5.1.32 and Prior to 5.2.6. Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.0 Base Score 8.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html | x_refsource_CONFIRM | |
| http://www.securitytracker.com/id/1040202 | vdb-entry, x_refsource_SECTRACK | |
| http://www.securityfocus.com/bid/102692 | vdb-entry, x_refsource_BID |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Oracle Corporation | VM VirtualBox |
Version: unspecified < 5.1.32 Version: unspecified < 5.2.6 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T04:29:43.816Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", }, { name: "1040202", tags: [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred", ], url: "http://www.securitytracker.com/id/1040202", }, { name: "102692", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/102692", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2018-2688", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2024-10-03T19:20:02.608862Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-03T20:32:37.574Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "VM VirtualBox", vendor: "Oracle Corporation", versions: [ { lessThan: "5.1.32", status: "affected", version: "unspecified", versionType: "custom", }, { lessThan: "5.2.6", status: "affected", version: "unspecified", versionType: "custom", }, ], }, ], datePublic: "2018-01-03T00:00:00", descriptions: [ { lang: "en", value: "Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are Prior to 5.1.32 and Prior to 5.2.6. Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.0 Base Score 8.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).", }, ], problemTypes: [ { descriptions: [ { description: "Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox.", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2018-01-18T10:57:01", orgId: "43595867-4340-4103-b7a2-9a5208d29a85", shortName: "oracle", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", }, { name: "1040202", tags: [ "vdb-entry", "x_refsource_SECTRACK", ], url: "http://www.securitytracker.com/id/1040202", }, { name: "102692", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/102692", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "secalert_us@oracle.com", ID: "CVE-2018-2688", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "VM VirtualBox", version: { version_data: [ { version_affected: "<", version_value: "5.1.32", }, { version_affected: "<", version_value: "5.2.6", }, ], }, }, ], }, vendor_name: "Oracle Corporation", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are Prior to 5.1.32 and Prior to 5.2.6. Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.0 Base Score 8.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox.", }, ], }, ], }, references: { reference_data: [ { name: "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", refsource: "CONFIRM", url: "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", }, { name: "1040202", refsource: "SECTRACK", url: "http://www.securitytracker.com/id/1040202", }, { name: "102692", refsource: "BID", url: "http://www.securityfocus.com/bid/102692", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "43595867-4340-4103-b7a2-9a5208d29a85", assignerShortName: "oracle", cveId: "CVE-2018-2688", datePublished: "2018-01-18T02:00:00", dateReserved: "2017-12-15T00:00:00", dateUpdated: "2024-10-03T20:32:37.574Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2017-3735
Vulnerability from cvelistv5
Published
2017-08-28 19:00
Modified
2024-09-16 21:08
Severity ?
EPSS score ?
Summary
While parsing an IPAddressFamily extension in an X.509 certificate, it is possible to do a one-byte overread. This would result in an incorrect text display of the certificate. This bug has been present since 2006 and is present in all versions of OpenSSL before 1.0.2m and 1.1.0g.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| OpenSSL Software Foundation | OpenSSL |
Version: 1.1.0 Version: 1.0.2 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T14:39:41.087Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "1039726", tags: [ "vdb-entry", "x_transferred", ], url: "http://www.securitytracker.com/id/1039726", }, { name: "USN-3611-2", tags: [ "vendor-advisory", "x_transferred", ], url: "https://usn.ubuntu.com/3611-2/", }, { name: "DSA-4018", tags: [ "vendor-advisory", "x_transferred", ], url: "https://www.debian.org/security/2017/dsa-4018", }, { name: "GLSA-201712-03", tags: [ "vendor-advisory", "x_transferred", ], url: "https://security.gentoo.org/glsa/201712-03", }, { name: "[debian-lts-announce] 20171109 [SECURITY] [DLA-1157-1] openssl security update", tags: [ "mailing-list", "x_transferred", ], url: "https://lists.debian.org/debian-lts-announce/2017/11/msg00011.html", }, { name: "RHSA-2018:3505", tags: [ "vendor-advisory", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2018:3505", }, { name: "DSA-4017", tags: [ "vendor-advisory", "x_transferred", ], url: "https://www.debian.org/security/2017/dsa-4017", }, { name: "RHSA-2018:3221", tags: [ "vendor-advisory", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2018:3221", }, { name: "100515", tags: [ "vdb-entry", "x_transferred", ], url: "http://www.securityfocus.com/bid/100515", }, { name: "FreeBSD-SA-17:11", tags: [ "vendor-advisory", "x_transferred", ], url: "https://security.FreeBSD.org/advisories/FreeBSD-SA-17:11.openssl.asc", }, { tags: [ "x_transferred", ], url: "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", }, { tags: [ "x_transferred", ], url: "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", }, { tags: [ "x_transferred", ], url: "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html", }, { tags: [ "x_transferred", ], url: "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", }, { tags: [ "x_transferred", ], url: "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", }, { tags: [ "x_transferred", ], url: "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", }, { tags: [ "x_transferred", ], url: "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", }, { tags: [ "x_transferred", ], url: "https://www.oracle.com//security-alerts/cpujul2021.html", }, { tags: [ "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20171107-0002/", }, { tags: [ "x_transferred", ], url: "https://support.apple.com/HT208331", }, { tags: [ "x_transferred", ], url: "https://github.com/openssl/openssl/commit/068b963bb7afc57f5bdd723de0dd15e7795d5822", }, { tags: [ "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20170927-0001/", }, { tags: [ "x_transferred", ], url: "https://www.tenable.com/security/tns-2017-15", }, { tags: [ "x_transferred", ], url: "https://www.openssl.org/news/secadv/20171102.txt", }, { tags: [ "x_transferred", ], url: "https://www.tenable.com/security/tns-2017-14", }, { tags: [ "x_transferred", ], url: "https://www.openssl.org/news/secadv/20170828.txt", }, { tags: [ "x_transferred", ], url: "https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "OpenSSL", vendor: "OpenSSL Software Foundation", versions: [ { status: "affected", version: "1.1.0", }, { status: "affected", version: "1.0.2", }, ], }, ], datePublic: "2017-08-28T00:00:00", descriptions: [ { lang: "en", value: "While parsing an IPAddressFamily extension in an X.509 certificate, it is possible to do a one-byte overread. This would result in an incorrect text display of the certificate. This bug has been present since 2006 and is present in all versions of OpenSSL before 1.0.2m and 1.1.0g.", }, ], problemTypes: [ { descriptions: [ { description: "out of bounds read", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2022-12-13T00:00:00", orgId: "3a12439a-ef3a-4c79-92e6-6081a721f1e5", shortName: "openssl", }, references: [ { name: "1039726", tags: [ "vdb-entry", ], url: "http://www.securitytracker.com/id/1039726", }, { name: "USN-3611-2", tags: [ "vendor-advisory", ], url: "https://usn.ubuntu.com/3611-2/", }, { name: "DSA-4018", tags: [ "vendor-advisory", ], url: "https://www.debian.org/security/2017/dsa-4018", }, { name: "GLSA-201712-03", tags: [ "vendor-advisory", ], url: "https://security.gentoo.org/glsa/201712-03", }, { name: "[debian-lts-announce] 20171109 [SECURITY] [DLA-1157-1] openssl security update", tags: [ "mailing-list", ], url: "https://lists.debian.org/debian-lts-announce/2017/11/msg00011.html", }, { name: "RHSA-2018:3505", tags: [ "vendor-advisory", ], url: "https://access.redhat.com/errata/RHSA-2018:3505", }, { name: "DSA-4017", tags: [ "vendor-advisory", ], url: "https://www.debian.org/security/2017/dsa-4017", }, { name: "RHSA-2018:3221", tags: [ "vendor-advisory", ], url: "https://access.redhat.com/errata/RHSA-2018:3221", }, { name: "100515", tags: [ "vdb-entry", ], url: "http://www.securityfocus.com/bid/100515", }, { name: "FreeBSD-SA-17:11", tags: [ "vendor-advisory", ], url: "https://security.FreeBSD.org/advisories/FreeBSD-SA-17:11.openssl.asc", }, { url: "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", }, { url: "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", }, { url: "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html", }, { url: "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", }, { url: "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", }, { url: "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", }, { url: "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", }, { url: "https://www.oracle.com//security-alerts/cpujul2021.html", }, { url: "https://security.netapp.com/advisory/ntap-20171107-0002/", }, { url: "https://support.apple.com/HT208331", }, { url: "https://github.com/openssl/openssl/commit/068b963bb7afc57f5bdd723de0dd15e7795d5822", }, { url: "https://security.netapp.com/advisory/ntap-20170927-0001/", }, { url: "https://www.tenable.com/security/tns-2017-15", }, { url: "https://www.openssl.org/news/secadv/20171102.txt", }, { url: "https://www.tenable.com/security/tns-2017-14", }, { url: "https://www.openssl.org/news/secadv/20170828.txt", }, { url: "https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf", }, ], }, }, cveMetadata: { assignerOrgId: "3a12439a-ef3a-4c79-92e6-6081a721f1e5", assignerShortName: "openssl", cveId: "CVE-2017-3735", datePublished: "2017-08-28T19:00:00Z", dateReserved: "2016-12-16T00:00:00", dateUpdated: "2024-09-16T21:08:28.987Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2018-2685
Vulnerability from cvelistv5
Published
2018-01-18 02:00
Modified
2024-10-03 20:32
Severity ?
EPSS score ?
Summary
Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are Prior to 5.1.32 and Prior to 5.2.6. Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.0 Base Score 8.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html | x_refsource_CONFIRM | |
| http://www.securitytracker.com/id/1040202 | vdb-entry, x_refsource_SECTRACK | |
| http://www.securityfocus.com/bid/102689 | vdb-entry, x_refsource_BID |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T04:29:44.880Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", }, { name: "1040202", tags: [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred", ], url: "http://www.securitytracker.com/id/1040202", }, { name: "102689", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/102689", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2018-2685", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2024-10-03T19:20:52.939813Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-03T20:32:57.844Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2018-01-03T00:00:00", descriptions: [ { lang: "en", value: "Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are Prior to 5.1.32 and Prior to 5.2.6. Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.0 Base Score 8.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2018-01-18T10:57:01", orgId: "43595867-4340-4103-b7a2-9a5208d29a85", shortName: "oracle", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", }, { name: "1040202", tags: [ "vdb-entry", "x_refsource_SECTRACK", ], url: "http://www.securitytracker.com/id/1040202", }, { name: "102689", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/102689", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "secalert_us@oracle.com", ID: "CVE-2018-2685", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are Prior to 5.1.32 and Prior to 5.2.6. Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.0 Base Score 8.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", refsource: "CONFIRM", url: "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", }, { name: "1040202", refsource: "SECTRACK", url: "http://www.securitytracker.com/id/1040202", }, { name: "102689", refsource: "BID", url: "http://www.securityfocus.com/bid/102689", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "43595867-4340-4103-b7a2-9a5208d29a85", assignerShortName: "oracle", cveId: "CVE-2018-2685", datePublished: "2018-01-18T02:00:00", dateReserved: "2017-12-15T00:00:00", dateUpdated: "2024-10-03T20:32:57.844Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2018-2694
Vulnerability from cvelistv5
Published
2018-01-18 02:00
Modified
2024-10-03 20:31
Severity ?
EPSS score ?
Summary
Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are Prior to 5.1.32 and Prior to 5.2.6. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.0 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html | x_refsource_CONFIRM | |
| http://www.securitytracker.com/id/1040202 | vdb-entry, x_refsource_SECTRACK | |
| http://www.securityfocus.com/bid/102687 | vdb-entry, x_refsource_BID |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Oracle Corporation | VM VirtualBox |
Version: unspecified < 5.1.32 Version: unspecified < 5.2.6 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T04:29:44.273Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", }, { name: "1040202", tags: [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred", ], url: "http://www.securitytracker.com/id/1040202", }, { name: "102687", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/102687", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2018-2694", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2024-10-03T19:20:15.882667Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-03T20:31:53.428Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "VM VirtualBox", vendor: "Oracle Corporation", versions: [ { lessThan: "5.1.32", status: "affected", version: "unspecified", versionType: "custom", }, { lessThan: "5.2.6", status: "affected", version: "unspecified", versionType: "custom", }, ], }, ], datePublic: "2018-01-03T00:00:00", descriptions: [ { lang: "en", value: "Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are Prior to 5.1.32 and Prior to 5.2.6. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.0 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).", }, ], problemTypes: [ { descriptions: [ { description: "Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox.", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2018-01-18T10:57:01", orgId: "43595867-4340-4103-b7a2-9a5208d29a85", shortName: "oracle", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", }, { name: "1040202", tags: [ "vdb-entry", "x_refsource_SECTRACK", ], url: "http://www.securitytracker.com/id/1040202", }, { name: "102687", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/102687", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "secalert_us@oracle.com", ID: "CVE-2018-2694", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "VM VirtualBox", version: { version_data: [ { version_affected: "<", version_value: "5.1.32", }, { version_affected: "<", version_value: "5.2.6", }, ], }, }, ], }, vendor_name: "Oracle Corporation", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are Prior to 5.1.32 and Prior to 5.2.6. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.0 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox.", }, ], }, ], }, references: { reference_data: [ { name: "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", refsource: "CONFIRM", url: "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", }, { name: "1040202", refsource: "SECTRACK", url: "http://www.securitytracker.com/id/1040202", }, { name: "102687", refsource: "BID", url: "http://www.securityfocus.com/bid/102687", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "43595867-4340-4103-b7a2-9a5208d29a85", assignerShortName: "oracle", cveId: "CVE-2018-2694", datePublished: "2018-01-18T02:00:00", dateReserved: "2017-12-15T00:00:00", dateUpdated: "2024-10-03T20:31:53.428Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2018-2690
Vulnerability from cvelistv5
Published
2018-01-18 02:00
Modified
2024-10-03 20:32
Severity ?
EPSS score ?
Summary
Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are Prior to 5.1.32 and Prior to 5.2.6. Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.0 Base Score 8.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html | x_refsource_CONFIRM | |
| http://www.securitytracker.com/id/1040202 | vdb-entry, x_refsource_SECTRACK | |
| http://www.securityfocus.com/bid/102694 | vdb-entry, x_refsource_BID |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Oracle Corporation | VM VirtualBox |
Version: unspecified < 5.1.32 Version: unspecified < 5.2.6 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T04:29:44.317Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", }, { name: "1040202", tags: [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred", ], url: "http://www.securitytracker.com/id/1040202", }, { name: "102694", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/102694", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2018-2690", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2024-10-03T19:20:19.101352Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-03T20:32:24.080Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "VM VirtualBox", vendor: "Oracle Corporation", versions: [ { lessThan: "5.1.32", status: "affected", version: "unspecified", versionType: "custom", }, { lessThan: "5.2.6", status: "affected", version: "unspecified", versionType: "custom", }, ], }, ], datePublic: "2018-01-03T00:00:00", descriptions: [ { lang: "en", value: "Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are Prior to 5.1.32 and Prior to 5.2.6. Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.0 Base Score 8.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).", }, ], problemTypes: [ { descriptions: [ { description: "Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox.", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2018-01-18T10:57:01", orgId: "43595867-4340-4103-b7a2-9a5208d29a85", shortName: "oracle", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", }, { name: "1040202", tags: [ "vdb-entry", "x_refsource_SECTRACK", ], url: "http://www.securitytracker.com/id/1040202", }, { name: "102694", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/102694", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "secalert_us@oracle.com", ID: "CVE-2018-2690", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "VM VirtualBox", version: { version_data: [ { version_affected: "<", version_value: "5.1.32", }, { version_affected: "<", version_value: "5.2.6", }, ], }, }, ], }, vendor_name: "Oracle Corporation", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are Prior to 5.1.32 and Prior to 5.2.6. Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.0 Base Score 8.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox.", }, ], }, ], }, references: { reference_data: [ { name: "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", refsource: "CONFIRM", url: "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", }, { name: "1040202", refsource: "SECTRACK", url: "http://www.securitytracker.com/id/1040202", }, { name: "102694", refsource: "BID", url: "http://www.securityfocus.com/bid/102694", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "43595867-4340-4103-b7a2-9a5208d29a85", assignerShortName: "oracle", cveId: "CVE-2018-2690", datePublished: "2018-01-18T02:00:00", dateReserved: "2017-12-15T00:00:00", dateUpdated: "2024-10-03T20:32:24.080Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2017-5645
Vulnerability from cvelistv5
Published
2017-04-17 21:00
Modified
2024-08-05 15:11
Severity ?
EPSS score ?
Summary
In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Log4j |
Version: All versions between 2.0-alpha1 and 2.8.1 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T15:11:47.391Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "RHSA-2017:2888", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2017:2888", }, { name: "RHSA-2017:2809", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2017:2809", }, { name: "97702", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/97702", }, { name: "1041294", tags: [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred", ], url: "http://www.securitytracker.com/id/1041294", }, { name: "RHSA-2017:2810", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2017:2810", }, { name: "RHSA-2017:1801", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2017:1801", }, { name: "RHSA-2017:2889", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2017:2889", }, { name: "RHSA-2017:2635", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2017:2635", }, { name: "RHSA-2017:2638", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2017:2638", }, { name: "RHSA-2017:1417", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2017:1417", }, { name: "RHSA-2017:2423", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2017:2423", }, { name: "RHSA-2017:2808", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2017:2808", }, { name: "1040200", tags: [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred", ], url: "http://www.securitytracker.com/id/1040200", }, { name: "RHSA-2017:2636", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2017:2636", }, { name: "RHSA-2017:3399", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2017:3399", }, { name: "RHSA-2017:2637", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2017:2637", }, { name: "RHSA-2017:3244", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2017:3244", }, { name: "RHSA-2017:3400", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2017:3400", }, { name: "RHSA-2017:2633", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2017:2633", }, { name: "RHSA-2017:2811", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2017:2811", }, { name: "RHSA-2017:1802", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2017:1802", }, { name: "RHSA-2019:1545", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:1545", }, { name: "[druid-commits] 20191115 [GitHub] [incubator-druid] ccaominh opened a new pull request #8878: Address security vulnerabilities", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E", }, { name: "[logging-dev] 20191215 Re: Is there any chance that there will be a security fix for log4j-v1.2.17?", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/e8fb7d76a244ee997ba4b217d6171227f7c2521af8c7c5b16cba27bc%40%3Cdev.logging.apache.org%3E", }, { name: "[logging-dev] 20191218 [CVE-2019-17571] Apache Log4j 1.2 deserialization of untrusted data in SocketServer", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/eea03d504b36e8f870e8321d908e1def1addda16adda04327fe7c125%40%3Cdev.logging.apache.org%3E", }, { name: "[oss-security] 20191218 [CVE-2019-17571] Apache Log4j 1.2 deserialization of untrusted data in SocketServer", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2019/12/19/2", }, { name: "[announce] 20191218 [CVE-2019-17571] Apache Log4j 1.2 deserialization of untrusted data in SocketServer", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/84cc4266238e057b95eb95dfd8b29d46a2592e7672c12c92f68b2917%40%3Cannounce.apache.org%3E", }, { name: "[logging-dev] 20191219 Re: [CVE-2019-17571] Apache Log4j 1.2 deserialization of untrusted data in SocketServer", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/0dcca05274d20ef2d72584edcf8c917bbb13dbbd7eb35cae909d02e9%40%3Cdev.logging.apache.org%3E", }, { name: "[activemq-issues] 20191226 [jira] [Created] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/8ab32b4c9f1826f20add7c40be08909de9f58a89dc1de9c09953f5ac%40%3Cissues.activemq.apache.org%3E", }, { name: "[tika-dev] 20191226 [jira] [Created] (TIKA-3018) log4j 1.2 version used by Apache Tika 1.23 is vulnerable to CVE-2019-17571", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/44491fb9cc19acc901f7cff34acb7376619f15638439416e3e14761c%40%3Cdev.tika.apache.org%3E", }, { name: "[tika-dev] 20191226 [jira] [Commented] (TIKA-3018) log4j 1.2 version used by Apache Tika 1.23 is vulnerable to CVE-2019-17571", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/277b4b5c2b0e06a825ccec565fa65bd671f35a4d58e3e2ec5d0618e1%40%3Cdev.tika.apache.org%3E", }, { name: "[tika-dev] 20191230 [jira] [Created] (TIKA-3019) [9.8] [CVE-2019-17571] [tika-app] [1.23]", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/479471e6debd608c837b9815b76eab24676657d4444fcfd5ef96d6e6%40%3Cdev.tika.apache.org%3E", }, { name: "[activemq-issues] 20191230 [jira] [Created] (AMQ-7372) [9.8] [CVE-2019-17571] [activemq-all] [5.15.10]", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/6114ce566200d76e3cc45c521a62c2c5a4eac15738248f58a99f622c%40%3Cissues.activemq.apache.org%3E", }, { name: "[tika-dev] 20200106 [jira] [Commented] (TIKA-3019) [9.8] [CVE-2019-17571] [tika-app] [1.23]", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rf2567488cfc9212b42e34c6393cfa1c14e30e4838b98dda84d71041f%40%3Cdev.tika.apache.org%3E", }, { name: "[tika-dev] 20200107 [jira] [Commented] (TIKA-3019) [9.8] [CVE-2019-17571] [tika-app] [1.23]", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r3a85514a518f3080ab1fc2652cfe122c2ccf67cfb32356acb1b08fe8%40%3Cdev.tika.apache.org%3E", }, { name: "[tika-dev] 20200108 [jira] [Commented] (TIKA-3019) [9.8] [CVE-2019-17571] [tika-app] [1.23]", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rc1eaed7f7d774d5d02f66e49baced31e04827a1293d61a70bd003ca7%40%3Cdev.tika.apache.org%3E", }, { name: "[tika-dev] 20200110 [jira] [Commented] (TIKA-3019) [9.8] [CVE-2019-17571] [tika-app] [1.23]", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r681b4432d0605f327b68b9f8a42662993e699d04614de4851c35ffd1%40%3Cdev.tika.apache.org%3E", }, { name: "[tika-dev] 20200111 Re: [jira] [Commented] (TIKA-3018) log4j 1.2 version used by Apache Tika 1.23 is vulnerable to CVE-2019-17571", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/ra38785cfc0e7f17f8e24bebf775dd032c033fadcaea29e5bc9fffc60%40%3Cdev.tika.apache.org%3E", }, { name: "[tika-dev] 20200111 [jira] [Closed] (TIKA-3018) log4j 1.2 version used by Apache Tika 1.23 is vulnerable to CVE-2019-17571", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r746fbc3fc13aee292ae6851f7a5080f592fa3a67b983c6887cdb1fc5%40%3Cdev.tika.apache.org%3E", }, { name: "[tika-dev] 20200111 [jira] [Resolved] (TIKA-3018) log4j 1.2 version used by Apache Tika 1.23 is vulnerable to CVE-2019-17571", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rdec0d8ac1f03e6905b0de2df1d5fcdb98b94556e4f6cccf7519fdb26%40%3Cdev.tika.apache.org%3E", }, { name: "[tika-dev] 20200114 [jira] [Commented] (TIKA-3019) [9.8] [CVE-2019-17571] [tika-app] [1.23]", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rca24a281000fb681d7e26e5c031a21eb4b0593a7735f781b53dae4e2%40%3Cdev.tika.apache.org%3E", }, { name: "[tika-dev] 20200115 [jira] [Commented] (TIKA-3019) [9.8] [CVE-2019-17571] [tika-app] [1.23]", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r4b25538be50126194cc646836c718b1a4d8f71bd9c912af5b59134ad%40%3Cdev.tika.apache.org%3E", }, { name: "[activemq-issues] 20200122 [jira] [Updated] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rd5dbeee4808c0f2b9b51479b50de3cc6adb1072c332a200d9107f13e%40%3Cissues.activemq.apache.org%3E", }, { name: "[activemq-issues] 20200122 [jira] [Assigned] (AMQ-7372) [9.8] [CVE-2019-17571] [activemq-all] [5.15.10]", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r7bcdc710857725c311b856c0b82cee6207178af5dcde1bd43d289826%40%3Cissues.activemq.apache.org%3E", }, { name: "[activemq-issues] 20200122 [jira] [Updated] (AMQ-7372) [9.8] [CVE-2019-17571] [activemq-all] [5.15.10]", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/raedd12dc24412b3780432bf202a2618a21a727788543e5337a458ead%40%3Cissues.activemq.apache.org%3E", }, { name: "[activemq-issues] 20200122 [jira] [Assigned] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r2ff63f210842a3c5e42f03a35d8f3a345134d073c80a04077341c211%40%3Cissues.activemq.apache.org%3E", }, { name: "[activemq-issues] 20200122 [jira] [Resolved] (AMQ-7372) [9.8] [CVE-2019-17571] [activemq-all] [5.15.10]", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r3d666e4e8905157f3c046d31398b04f2bfd4519e31f266de108c6919%40%3Cissues.activemq.apache.org%3E", }, { name: "[activemq-issues] 20200127 [jira] [Commented] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r61590890edcc64140e0c606954b29a063c3d08a2b41d447256d51a78%40%3Cissues.activemq.apache.org%3E", }, { name: "[activemq-issues] 20200208 [jira] [Commented] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r2ce8d26154bea939536e6cf27ed02d3192bf5c5d04df885a80fe89b3%40%3Cissues.activemq.apache.org%3E", }, { name: "[activemq-issues] 20200228 [jira] [Commented] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/re8c21ed9dd218c217d242ffa90778428e446b082b5e1c29f567e8374%40%3Cissues.activemq.apache.org%3E", }, { name: "[activemq-issues] 20200228 [jira] [Resolved] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rb1b29aee737e1c37fe1d48528cb0febac4f5deed51f5412e6fdfe2bf%40%3Cissues.activemq.apache.org%3E", }, { name: "[activemq-issues] 20200228 [jira] [Updated] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r18f1c010b554a3a2d761e8ffffd8674fd4747bcbcf16c643d708318c%40%3Cissues.activemq.apache.org%3E", }, { name: "[logging-commits] 20200425 svn commit: r1059809 - /websites/production/logging/content/log4j/2.13.2/security.html", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/ra9a682bc0a8dff1c5cefdef31c7c25f096d9121207cf2d74e2fc563d%40%3Ccommits.logging.apache.org%3E", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpuapr2020.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpujul2020.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpujan2020.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20181107-0002/", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20180726-0002/", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://issues.apache.org/jira/browse/LOG4J2-1863", }, { name: "[bookkeeper-issues] 20200729 [GitHub] [bookkeeper] padma81 opened a new issue #2387: Security vulnerabilities in the apache/bookkeeper-4.9.2 image", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E", }, { name: "[activemq-issues] 20200730 [jira] [Commented] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r3784834e80df2f284577a5596340fb84346c91a2dea6a073e65e3397%40%3Cissues.activemq.apache.org%3E", }, { name: "[geode-issues] 20200831 [jira] [Created] (GEODE-8471) Dependency security issues in geode-core-1.12", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpuoct2020.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpujan2021.html", }, { name: "[doris-commits] 20210402 [GitHub] [incubator-doris] zh0122 opened a new pull request #5594: [FE][Bug]Update log4j-web to fix a security issue", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rcbb79023a7c8494cb389cd3d95420fa9e0d531ece0b780b8c1f99422%40%3Ccommits.doris.apache.org%3E", }, { name: "[beam-issues] 20210528 [jira] [Created] (BEAM-12422) Vendored gRPC 1.36.0 is using a log4j version with security issues", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r0831e2e52a390758ce39a6193f82c11c295175adce6e6307de28c287%40%3Cissues.beam.apache.org%3E", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpuApr2021.html", }, { name: "[beam-github] 20210701 [GitHub] [beam] lukecwik commented on pull request #15113: [BEAM-12422] Upgrade log4j version not affected by CVE-2017-5645", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rbfa7a0742be4981a3f9356a23d0e1a5f2e1eabde32a1a3d8e41420f8%40%3Cgithub.beam.apache.org%3E", }, { name: "[beam-github] 20210701 [GitHub] [beam] lukecwik opened a new pull request #15113: [BEAM-12422] Upgrade log4j version not affected by CVE-2017-5645", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r23369fd603eb6d62d3b883a0a28d12052dcbd1d6d531137124cd7f83%40%3Cgithub.beam.apache.org%3E", }, { name: "[beam-github] 20210701 [GitHub] [beam] codecov[bot] commented on pull request #15113: [BEAM-12422] Upgrade log4j version not affected by CVE-2017-5645", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r9d5c1b558a15d374bd5abd2d3ae3ca7e50e796a0efdcf91e9c5b4cdd%40%3Cgithub.beam.apache.org%3E", }, { name: "[beam-github] 20210701 [GitHub] [beam] codecov[bot] edited a comment on pull request #15113: [BEAM-12422] Upgrade log4j version not affected by CVE-2017-5645", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r94b5aae09c4bcff5d06cf641be17b00bd83ba7e10cad737bf16a1b8f%40%3Cgithub.beam.apache.org%3E", }, { name: "[beam-github] 20210701 [GitHub] [beam] suztomo commented on pull request #15113: [BEAM-12422] Upgrade log4j version not affected by CVE-2017-5645", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rdbd579dc223f06af826d7de340218ee2f80d8b43fa7e4decb2a63f44%40%3Cgithub.beam.apache.org%3E", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Apache Log4j", vendor: "Apache Software Foundation", versions: [ { status: "affected", version: "All versions between 2.0-alpha1 and 2.8.1", }, ], }, ], datePublic: "2017-04-02T00:00:00", descriptions: [ { lang: "en", value: "In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.", }, ], problemTypes: [ { descriptions: [ { description: "Remote Code Execution.", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2022-02-07T14:40:00", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { name: "RHSA-2017:2888", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2017:2888", }, { name: "RHSA-2017:2809", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2017:2809", }, { name: "97702", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/97702", }, { name: "1041294", tags: [ "vdb-entry", "x_refsource_SECTRACK", ], url: "http://www.securitytracker.com/id/1041294", }, { name: "RHSA-2017:2810", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2017:2810", }, { name: "RHSA-2017:1801", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2017:1801", }, { name: "RHSA-2017:2889", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2017:2889", }, { name: "RHSA-2017:2635", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2017:2635", }, { name: "RHSA-2017:2638", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2017:2638", }, { name: "RHSA-2017:1417", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2017:1417", }, { name: "RHSA-2017:2423", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2017:2423", }, { name: "RHSA-2017:2808", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2017:2808", }, { name: "1040200", tags: [ "vdb-entry", "x_refsource_SECTRACK", ], url: "http://www.securitytracker.com/id/1040200", }, { name: "RHSA-2017:2636", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2017:2636", }, { name: "RHSA-2017:3399", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2017:3399", }, { name: "RHSA-2017:2637", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2017:2637", }, { name: "RHSA-2017:3244", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2017:3244", }, { name: "RHSA-2017:3400", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2017:3400", }, { name: "RHSA-2017:2633", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2017:2633", }, { name: "RHSA-2017:2811", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2017:2811", }, { name: "RHSA-2017:1802", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2017:1802", }, { name: "RHSA-2019:1545", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2019:1545", }, { name: "[druid-commits] 20191115 [GitHub] [incubator-druid] ccaominh opened a new pull request #8878: Address security vulnerabilities", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E", }, { name: "[logging-dev] 20191215 Re: Is there any chance that there will be a security fix for log4j-v1.2.17?", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/e8fb7d76a244ee997ba4b217d6171227f7c2521af8c7c5b16cba27bc%40%3Cdev.logging.apache.org%3E", }, { name: "[logging-dev] 20191218 [CVE-2019-17571] Apache Log4j 1.2 deserialization of untrusted data in SocketServer", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/eea03d504b36e8f870e8321d908e1def1addda16adda04327fe7c125%40%3Cdev.logging.apache.org%3E", }, { name: "[oss-security] 20191218 [CVE-2019-17571] Apache Log4j 1.2 deserialization of untrusted data in SocketServer", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://www.openwall.com/lists/oss-security/2019/12/19/2", }, { name: "[announce] 20191218 [CVE-2019-17571] Apache Log4j 1.2 deserialization of untrusted data in SocketServer", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/84cc4266238e057b95eb95dfd8b29d46a2592e7672c12c92f68b2917%40%3Cannounce.apache.org%3E", }, { name: "[logging-dev] 20191219 Re: [CVE-2019-17571] Apache Log4j 1.2 deserialization of untrusted data in SocketServer", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/0dcca05274d20ef2d72584edcf8c917bbb13dbbd7eb35cae909d02e9%40%3Cdev.logging.apache.org%3E", }, { name: "[activemq-issues] 20191226 [jira] [Created] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/8ab32b4c9f1826f20add7c40be08909de9f58a89dc1de9c09953f5ac%40%3Cissues.activemq.apache.org%3E", }, { name: "[tika-dev] 20191226 [jira] [Created] (TIKA-3018) log4j 1.2 version used by Apache Tika 1.23 is vulnerable to CVE-2019-17571", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/44491fb9cc19acc901f7cff34acb7376619f15638439416e3e14761c%40%3Cdev.tika.apache.org%3E", }, { name: "[tika-dev] 20191226 [jira] [Commented] (TIKA-3018) log4j 1.2 version used by Apache Tika 1.23 is vulnerable to CVE-2019-17571", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/277b4b5c2b0e06a825ccec565fa65bd671f35a4d58e3e2ec5d0618e1%40%3Cdev.tika.apache.org%3E", }, { name: "[tika-dev] 20191230 [jira] [Created] (TIKA-3019) [9.8] [CVE-2019-17571] [tika-app] [1.23]", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/479471e6debd608c837b9815b76eab24676657d4444fcfd5ef96d6e6%40%3Cdev.tika.apache.org%3E", }, { name: "[activemq-issues] 20191230 [jira] [Created] (AMQ-7372) [9.8] [CVE-2019-17571] [activemq-all] [5.15.10]", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/6114ce566200d76e3cc45c521a62c2c5a4eac15738248f58a99f622c%40%3Cissues.activemq.apache.org%3E", }, { name: "[tika-dev] 20200106 [jira] [Commented] (TIKA-3019) [9.8] [CVE-2019-17571] [tika-app] [1.23]", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rf2567488cfc9212b42e34c6393cfa1c14e30e4838b98dda84d71041f%40%3Cdev.tika.apache.org%3E", }, { name: "[tika-dev] 20200107 [jira] [Commented] (TIKA-3019) [9.8] [CVE-2019-17571] [tika-app] [1.23]", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r3a85514a518f3080ab1fc2652cfe122c2ccf67cfb32356acb1b08fe8%40%3Cdev.tika.apache.org%3E", }, { name: "[tika-dev] 20200108 [jira] [Commented] (TIKA-3019) [9.8] [CVE-2019-17571] [tika-app] [1.23]", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rc1eaed7f7d774d5d02f66e49baced31e04827a1293d61a70bd003ca7%40%3Cdev.tika.apache.org%3E", }, { name: "[tika-dev] 20200110 [jira] [Commented] (TIKA-3019) [9.8] [CVE-2019-17571] [tika-app] [1.23]", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r681b4432d0605f327b68b9f8a42662993e699d04614de4851c35ffd1%40%3Cdev.tika.apache.org%3E", }, { name: "[tika-dev] 20200111 Re: [jira] [Commented] (TIKA-3018) log4j 1.2 version used by Apache Tika 1.23 is vulnerable to CVE-2019-17571", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/ra38785cfc0e7f17f8e24bebf775dd032c033fadcaea29e5bc9fffc60%40%3Cdev.tika.apache.org%3E", }, { name: "[tika-dev] 20200111 [jira] [Closed] (TIKA-3018) log4j 1.2 version used by Apache Tika 1.23 is vulnerable to CVE-2019-17571", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r746fbc3fc13aee292ae6851f7a5080f592fa3a67b983c6887cdb1fc5%40%3Cdev.tika.apache.org%3E", }, { name: "[tika-dev] 20200111 [jira] [Resolved] (TIKA-3018) log4j 1.2 version used by Apache Tika 1.23 is vulnerable to CVE-2019-17571", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rdec0d8ac1f03e6905b0de2df1d5fcdb98b94556e4f6cccf7519fdb26%40%3Cdev.tika.apache.org%3E", }, { name: "[tika-dev] 20200114 [jira] [Commented] (TIKA-3019) [9.8] [CVE-2019-17571] [tika-app] [1.23]", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rca24a281000fb681d7e26e5c031a21eb4b0593a7735f781b53dae4e2%40%3Cdev.tika.apache.org%3E", }, { name: "[tika-dev] 20200115 [jira] [Commented] (TIKA-3019) [9.8] [CVE-2019-17571] [tika-app] [1.23]", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r4b25538be50126194cc646836c718b1a4d8f71bd9c912af5b59134ad%40%3Cdev.tika.apache.org%3E", }, { name: "[activemq-issues] 20200122 [jira] [Updated] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rd5dbeee4808c0f2b9b51479b50de3cc6adb1072c332a200d9107f13e%40%3Cissues.activemq.apache.org%3E", }, { name: "[activemq-issues] 20200122 [jira] [Assigned] (AMQ-7372) [9.8] [CVE-2019-17571] [activemq-all] [5.15.10]", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r7bcdc710857725c311b856c0b82cee6207178af5dcde1bd43d289826%40%3Cissues.activemq.apache.org%3E", }, { name: "[activemq-issues] 20200122 [jira] [Updated] (AMQ-7372) [9.8] [CVE-2019-17571] [activemq-all] [5.15.10]", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/raedd12dc24412b3780432bf202a2618a21a727788543e5337a458ead%40%3Cissues.activemq.apache.org%3E", }, { name: "[activemq-issues] 20200122 [jira] [Assigned] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r2ff63f210842a3c5e42f03a35d8f3a345134d073c80a04077341c211%40%3Cissues.activemq.apache.org%3E", }, { name: "[activemq-issues] 20200122 [jira] [Resolved] (AMQ-7372) [9.8] [CVE-2019-17571] [activemq-all] [5.15.10]", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r3d666e4e8905157f3c046d31398b04f2bfd4519e31f266de108c6919%40%3Cissues.activemq.apache.org%3E", }, { name: "[activemq-issues] 20200127 [jira] [Commented] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r61590890edcc64140e0c606954b29a063c3d08a2b41d447256d51a78%40%3Cissues.activemq.apache.org%3E", }, { name: "[activemq-issues] 20200208 [jira] [Commented] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r2ce8d26154bea939536e6cf27ed02d3192bf5c5d04df885a80fe89b3%40%3Cissues.activemq.apache.org%3E", }, { name: "[activemq-issues] 20200228 [jira] [Commented] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/re8c21ed9dd218c217d242ffa90778428e446b082b5e1c29f567e8374%40%3Cissues.activemq.apache.org%3E", }, { name: "[activemq-issues] 20200228 [jira] [Resolved] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rb1b29aee737e1c37fe1d48528cb0febac4f5deed51f5412e6fdfe2bf%40%3Cissues.activemq.apache.org%3E", }, { name: "[activemq-issues] 20200228 [jira] [Updated] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r18f1c010b554a3a2d761e8ffffd8674fd4747bcbcf16c643d708318c%40%3Cissues.activemq.apache.org%3E", }, { name: "[logging-commits] 20200425 svn commit: r1059809 - /websites/production/logging/content/log4j/2.13.2/security.html", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/ra9a682bc0a8dff1c5cefdef31c7c25f096d9121207cf2d74e2fc563d%40%3Ccommits.logging.apache.org%3E", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpuapr2020.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpujul2020.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpujan2020.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://security.netapp.com/advisory/ntap-20181107-0002/", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://security.netapp.com/advisory/ntap-20180726-0002/", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://issues.apache.org/jira/browse/LOG4J2-1863", }, { name: "[bookkeeper-issues] 20200729 [GitHub] [bookkeeper] padma81 opened a new issue #2387: Security vulnerabilities in the apache/bookkeeper-4.9.2 image", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E", }, { name: "[activemq-issues] 20200730 [jira] [Commented] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r3784834e80df2f284577a5596340fb84346c91a2dea6a073e65e3397%40%3Cissues.activemq.apache.org%3E", }, { name: "[geode-issues] 20200831 [jira] [Created] (GEODE-8471) Dependency security issues in geode-core-1.12", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpuoct2020.html", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpujan2021.html", }, { name: "[doris-commits] 20210402 [GitHub] [incubator-doris] zh0122 opened a new pull request #5594: [FE][Bug]Update log4j-web to fix a security issue", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rcbb79023a7c8494cb389cd3d95420fa9e0d531ece0b780b8c1f99422%40%3Ccommits.doris.apache.org%3E", }, { name: "[beam-issues] 20210528 [jira] [Created] (BEAM-12422) Vendored gRPC 1.36.0 is using a log4j version with security issues", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r0831e2e52a390758ce39a6193f82c11c295175adce6e6307de28c287%40%3Cissues.beam.apache.org%3E", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpuApr2021.html", }, { name: "[beam-github] 20210701 [GitHub] [beam] lukecwik commented on pull request #15113: [BEAM-12422] Upgrade log4j version not affected by CVE-2017-5645", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rbfa7a0742be4981a3f9356a23d0e1a5f2e1eabde32a1a3d8e41420f8%40%3Cgithub.beam.apache.org%3E", }, { name: "[beam-github] 20210701 [GitHub] [beam] lukecwik opened a new pull request #15113: [BEAM-12422] Upgrade log4j version not affected by CVE-2017-5645", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r23369fd603eb6d62d3b883a0a28d12052dcbd1d6d531137124cd7f83%40%3Cgithub.beam.apache.org%3E", }, { name: "[beam-github] 20210701 [GitHub] [beam] codecov[bot] commented on pull request #15113: [BEAM-12422] Upgrade log4j version not affected by CVE-2017-5645", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r9d5c1b558a15d374bd5abd2d3ae3ca7e50e796a0efdcf91e9c5b4cdd%40%3Cgithub.beam.apache.org%3E", }, { name: "[beam-github] 20210701 [GitHub] [beam] codecov[bot] edited a comment on pull request #15113: [BEAM-12422] Upgrade log4j version not affected by CVE-2017-5645", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r94b5aae09c4bcff5d06cf641be17b00bd83ba7e10cad737bf16a1b8f%40%3Cgithub.beam.apache.org%3E", }, { name: "[beam-github] 20210701 [GitHub] [beam] suztomo commented on pull request #15113: [BEAM-12422] Upgrade log4j version not affected by CVE-2017-5645", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rdbd579dc223f06af826d7de340218ee2f80d8b43fa7e4decb2a63f44%40%3Cgithub.beam.apache.org%3E", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security@apache.org", ID: "CVE-2017-5645", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Apache Log4j", version: { version_data: [ { version_value: "All versions between 2.0-alpha1 and 2.8.1", }, ], }, }, ], }, vendor_name: "Apache Software Foundation", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Remote Code Execution.", }, ], }, ], }, references: { reference_data: [ { name: "RHSA-2017:2888", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2017:2888", }, { name: "RHSA-2017:2809", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2017:2809", }, { name: "97702", refsource: "BID", url: "http://www.securityfocus.com/bid/97702", }, { name: "1041294", refsource: "SECTRACK", url: "http://www.securitytracker.com/id/1041294", }, { name: "RHSA-2017:2810", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2017:2810", }, { name: "RHSA-2017:1801", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2017:1801", }, { name: "RHSA-2017:2889", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2017:2889", }, { name: "RHSA-2017:2635", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2017:2635", }, { name: "RHSA-2017:2638", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2017:2638", }, { name: "RHSA-2017:1417", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2017:1417", }, { name: "RHSA-2017:2423", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2017:2423", }, { name: "RHSA-2017:2808", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2017:2808", }, { name: "1040200", refsource: "SECTRACK", url: "http://www.securitytracker.com/id/1040200", }, { name: "RHSA-2017:2636", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2017:2636", }, { name: "RHSA-2017:3399", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2017:3399", }, { name: "RHSA-2017:2637", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2017:2637", }, { name: "RHSA-2017:3244", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2017:3244", }, { name: "RHSA-2017:3400", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2017:3400", }, { name: "RHSA-2017:2633", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2017:2633", }, { name: "RHSA-2017:2811", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2017:2811", }, { name: "RHSA-2017:1802", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2017:1802", }, { name: "RHSA-2019:1545", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2019:1545", }, { name: "[druid-commits] 20191115 [GitHub] [incubator-druid] ccaominh opened a new pull request #8878: Address security vulnerabilities", refsource: "MLIST", url: "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E", }, { name: "[logging-dev] 20191215 Re: Is there any chance that there will be a security fix for log4j-v1.2.17?", refsource: "MLIST", url: "https://lists.apache.org/thread.html/e8fb7d76a244ee997ba4b217d6171227f7c2521af8c7c5b16cba27bc@%3Cdev.logging.apache.org%3E", }, { name: "[logging-dev] 20191218 [CVE-2019-17571] Apache Log4j 1.2 deserialization of untrusted data in SocketServer", refsource: "MLIST", url: "https://lists.apache.org/thread.html/eea03d504b36e8f870e8321d908e1def1addda16adda04327fe7c125@%3Cdev.logging.apache.org%3E", }, { name: "[oss-security] 20191218 [CVE-2019-17571] Apache Log4j 1.2 deserialization of untrusted data in SocketServer", refsource: "MLIST", url: "http://www.openwall.com/lists/oss-security/2019/12/19/2", }, { name: "[announce] 20191218 [CVE-2019-17571] Apache Log4j 1.2 deserialization of untrusted data in SocketServer", refsource: "MLIST", url: "https://lists.apache.org/thread.html/84cc4266238e057b95eb95dfd8b29d46a2592e7672c12c92f68b2917@%3Cannounce.apache.org%3E", }, { name: "[logging-dev] 20191219 Re: [CVE-2019-17571] Apache Log4j 1.2 deserialization of untrusted data in SocketServer", refsource: "MLIST", url: "https://lists.apache.org/thread.html/0dcca05274d20ef2d72584edcf8c917bbb13dbbd7eb35cae909d02e9@%3Cdev.logging.apache.org%3E", }, { name: "[activemq-issues] 20191226 [jira] [Created] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571", refsource: "MLIST", url: "https://lists.apache.org/thread.html/8ab32b4c9f1826f20add7c40be08909de9f58a89dc1de9c09953f5ac@%3Cissues.activemq.apache.org%3E", }, { name: "[tika-dev] 20191226 [jira] [Created] (TIKA-3018) log4j 1.2 version used by Apache Tika 1.23 is vulnerable to CVE-2019-17571", refsource: "MLIST", url: "https://lists.apache.org/thread.html/44491fb9cc19acc901f7cff34acb7376619f15638439416e3e14761c@%3Cdev.tika.apache.org%3E", }, { name: "[tika-dev] 20191226 [jira] [Commented] (TIKA-3018) log4j 1.2 version used by Apache Tika 1.23 is vulnerable to CVE-2019-17571", refsource: "MLIST", url: "https://lists.apache.org/thread.html/277b4b5c2b0e06a825ccec565fa65bd671f35a4d58e3e2ec5d0618e1@%3Cdev.tika.apache.org%3E", }, { name: "[tika-dev] 20191230 [jira] [Created] (TIKA-3019) [9.8] [CVE-2019-17571] [tika-app] [1.23]", refsource: "MLIST", url: "https://lists.apache.org/thread.html/479471e6debd608c837b9815b76eab24676657d4444fcfd5ef96d6e6@%3Cdev.tika.apache.org%3E", }, { name: "[activemq-issues] 20191230 [jira] [Created] (AMQ-7372) [9.8] [CVE-2019-17571] [activemq-all] [5.15.10]", refsource: "MLIST", url: "https://lists.apache.org/thread.html/6114ce566200d76e3cc45c521a62c2c5a4eac15738248f58a99f622c@%3Cissues.activemq.apache.org%3E", }, { name: "[tika-dev] 20200106 [jira] [Commented] (TIKA-3019) [9.8] [CVE-2019-17571] [tika-app] [1.23]", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rf2567488cfc9212b42e34c6393cfa1c14e30e4838b98dda84d71041f@%3Cdev.tika.apache.org%3E", }, { name: "[tika-dev] 20200107 [jira] [Commented] (TIKA-3019) [9.8] [CVE-2019-17571] [tika-app] [1.23]", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r3a85514a518f3080ab1fc2652cfe122c2ccf67cfb32356acb1b08fe8@%3Cdev.tika.apache.org%3E", }, { name: "[tika-dev] 20200108 [jira] [Commented] (TIKA-3019) [9.8] [CVE-2019-17571] [tika-app] [1.23]", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rc1eaed7f7d774d5d02f66e49baced31e04827a1293d61a70bd003ca7@%3Cdev.tika.apache.org%3E", }, { name: "[tika-dev] 20200110 [jira] [Commented] (TIKA-3019) [9.8] [CVE-2019-17571] [tika-app] [1.23]", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r681b4432d0605f327b68b9f8a42662993e699d04614de4851c35ffd1@%3Cdev.tika.apache.org%3E", }, { name: "[tika-dev] 20200111 Re: [jira] [Commented] (TIKA-3018) log4j 1.2 version used by Apache Tika 1.23 is vulnerable to CVE-2019-17571", refsource: "MLIST", url: "https://lists.apache.org/thread.html/ra38785cfc0e7f17f8e24bebf775dd032c033fadcaea29e5bc9fffc60@%3Cdev.tika.apache.org%3E", }, { name: "[tika-dev] 20200111 [jira] [Closed] (TIKA-3018) log4j 1.2 version used by Apache Tika 1.23 is vulnerable to CVE-2019-17571", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r746fbc3fc13aee292ae6851f7a5080f592fa3a67b983c6887cdb1fc5@%3Cdev.tika.apache.org%3E", }, { name: "[tika-dev] 20200111 [jira] [Resolved] (TIKA-3018) log4j 1.2 version used by Apache Tika 1.23 is vulnerable to CVE-2019-17571", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rdec0d8ac1f03e6905b0de2df1d5fcdb98b94556e4f6cccf7519fdb26@%3Cdev.tika.apache.org%3E", }, { name: "[tika-dev] 20200114 [jira] [Commented] (TIKA-3019) [9.8] [CVE-2019-17571] [tika-app] [1.23]", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rca24a281000fb681d7e26e5c031a21eb4b0593a7735f781b53dae4e2@%3Cdev.tika.apache.org%3E", }, { name: "[tika-dev] 20200115 [jira] [Commented] (TIKA-3019) [9.8] [CVE-2019-17571] [tika-app] [1.23]", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r4b25538be50126194cc646836c718b1a4d8f71bd9c912af5b59134ad@%3Cdev.tika.apache.org%3E", }, { name: "[activemq-issues] 20200122 [jira] [Updated] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rd5dbeee4808c0f2b9b51479b50de3cc6adb1072c332a200d9107f13e@%3Cissues.activemq.apache.org%3E", }, { name: "[activemq-issues] 20200122 [jira] [Assigned] (AMQ-7372) [9.8] [CVE-2019-17571] [activemq-all] [5.15.10]", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r7bcdc710857725c311b856c0b82cee6207178af5dcde1bd43d289826@%3Cissues.activemq.apache.org%3E", }, { name: "[activemq-issues] 20200122 [jira] [Updated] (AMQ-7372) [9.8] [CVE-2019-17571] [activemq-all] [5.15.10]", refsource: "MLIST", url: "https://lists.apache.org/thread.html/raedd12dc24412b3780432bf202a2618a21a727788543e5337a458ead@%3Cissues.activemq.apache.org%3E", }, { name: "[activemq-issues] 20200122 [jira] [Assigned] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r2ff63f210842a3c5e42f03a35d8f3a345134d073c80a04077341c211@%3Cissues.activemq.apache.org%3E", }, { name: "[activemq-issues] 20200122 [jira] [Resolved] (AMQ-7372) [9.8] [CVE-2019-17571] [activemq-all] [5.15.10]", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r3d666e4e8905157f3c046d31398b04f2bfd4519e31f266de108c6919@%3Cissues.activemq.apache.org%3E", }, { name: "[activemq-issues] 20200127 [jira] [Commented] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r61590890edcc64140e0c606954b29a063c3d08a2b41d447256d51a78@%3Cissues.activemq.apache.org%3E", }, { name: "[activemq-issues] 20200208 [jira] [Commented] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r2ce8d26154bea939536e6cf27ed02d3192bf5c5d04df885a80fe89b3@%3Cissues.activemq.apache.org%3E", }, { name: "[activemq-issues] 20200228 [jira] [Commented] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571", refsource: "MLIST", url: "https://lists.apache.org/thread.html/re8c21ed9dd218c217d242ffa90778428e446b082b5e1c29f567e8374@%3Cissues.activemq.apache.org%3E", }, { name: "[activemq-issues] 20200228 [jira] [Resolved] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rb1b29aee737e1c37fe1d48528cb0febac4f5deed51f5412e6fdfe2bf@%3Cissues.activemq.apache.org%3E", }, { name: "[activemq-issues] 20200228 [jira] [Updated] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r18f1c010b554a3a2d761e8ffffd8674fd4747bcbcf16c643d708318c@%3Cissues.activemq.apache.org%3E", }, { name: "[logging-commits] 20200425 svn commit: r1059809 - /websites/production/logging/content/log4j/2.13.2/security.html", refsource: "MLIST", url: "https://lists.apache.org/thread.html/ra9a682bc0a8dff1c5cefdef31c7c25f096d9121207cf2d74e2fc563d@%3Ccommits.logging.apache.org%3E", }, { name: "https://www.oracle.com/security-alerts/cpuapr2020.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpuapr2020.html", }, { name: "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", refsource: "CONFIRM", url: "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", }, { name: "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", refsource: "CONFIRM", url: "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", }, { name: "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html", refsource: "CONFIRM", url: "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html", }, { name: "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", refsource: "CONFIRM", url: "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", }, { name: "https://www.oracle.com/security-alerts/cpujul2020.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpujul2020.html", }, { name: "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", refsource: "CONFIRM", url: "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", }, { name: "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", refsource: "MISC", url: "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", }, { name: "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", refsource: "MISC", url: "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", }, { name: "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html", refsource: "MISC", url: "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html", }, { name: "https://www.oracle.com/security-alerts/cpujan2020.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpujan2020.html", }, { name: "https://security.netapp.com/advisory/ntap-20181107-0002/", refsource: "CONFIRM", url: "https://security.netapp.com/advisory/ntap-20181107-0002/", }, { name: "https://security.netapp.com/advisory/ntap-20180726-0002/", refsource: "CONFIRM", url: "https://security.netapp.com/advisory/ntap-20180726-0002/", }, { name: "https://issues.apache.org/jira/browse/LOG4J2-1863", refsource: "CONFIRM", url: "https://issues.apache.org/jira/browse/LOG4J2-1863", }, { name: "[bookkeeper-issues] 20200729 [GitHub] [bookkeeper] padma81 opened a new issue #2387: Security vulnerabilities in the apache/bookkeeper-4.9.2 image", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E", }, { name: "[activemq-issues] 20200730 [jira] [Commented] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r3784834e80df2f284577a5596340fb84346c91a2dea6a073e65e3397@%3Cissues.activemq.apache.org%3E", }, { name: "[geode-issues] 20200831 [jira] [Created] (GEODE-8471) Dependency security issues in geode-core-1.12", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E", }, { name: "https://www.oracle.com/security-alerts/cpuoct2020.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpuoct2020.html", }, { name: "https://www.oracle.com/security-alerts/cpujan2021.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpujan2021.html", }, { name: "[doris-commits] 20210402 [GitHub] [incubator-doris] zh0122 opened a new pull request #5594: [FE][Bug]Update log4j-web to fix a security issue", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rcbb79023a7c8494cb389cd3d95420fa9e0d531ece0b780b8c1f99422@%3Ccommits.doris.apache.org%3E", }, { name: "[beam-issues] 20210528 [jira] [Created] (BEAM-12422) Vendored gRPC 1.36.0 is using a log4j version with security issues", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r0831e2e52a390758ce39a6193f82c11c295175adce6e6307de28c287@%3Cissues.beam.apache.org%3E", }, { name: "https://www.oracle.com/security-alerts/cpuApr2021.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpuApr2021.html", }, { name: "[beam-github] 20210701 [GitHub] [beam] lukecwik commented on pull request #15113: [BEAM-12422] Upgrade log4j version not affected by CVE-2017-5645", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rbfa7a0742be4981a3f9356a23d0e1a5f2e1eabde32a1a3d8e41420f8@%3Cgithub.beam.apache.org%3E", }, { name: "[beam-github] 20210701 [GitHub] [beam] lukecwik opened a new pull request #15113: [BEAM-12422] Upgrade log4j version not affected by CVE-2017-5645", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r23369fd603eb6d62d3b883a0a28d12052dcbd1d6d531137124cd7f83@%3Cgithub.beam.apache.org%3E", }, { name: "[beam-github] 20210701 [GitHub] [beam] codecov[bot] commented on pull request #15113: [BEAM-12422] Upgrade log4j version not affected by CVE-2017-5645", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r9d5c1b558a15d374bd5abd2d3ae3ca7e50e796a0efdcf91e9c5b4cdd@%3Cgithub.beam.apache.org%3E", }, { name: "[beam-github] 20210701 [GitHub] [beam] codecov[bot] edited a comment on pull request #15113: [BEAM-12422] Upgrade log4j version not affected by CVE-2017-5645", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r94b5aae09c4bcff5d06cf641be17b00bd83ba7e10cad737bf16a1b8f@%3Cgithub.beam.apache.org%3E", }, { name: "[beam-github] 20210701 [GitHub] [beam] suztomo commented on pull request #15113: [BEAM-12422] Upgrade log4j version not affected by CVE-2017-5645", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rdbd579dc223f06af826d7de340218ee2f80d8b43fa7e4decb2a63f44@%3Cgithub.beam.apache.org%3E", }, { name: "https://www.oracle.com/security-alerts/cpuoct2021.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpuoct2021.html", }, { name: "https://www.oracle.com/security-alerts/cpujan2022.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpujan2022.html", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2017-5645", datePublished: "2017-04-17T21:00:00", dateReserved: "2017-01-29T00:00:00", dateUpdated: "2024-08-05T15:11:47.391Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2018-2689
Vulnerability from cvelistv5
Published
2018-01-18 02:00
Modified
2024-10-03 20:32
Severity ?
EPSS score ?
Summary
Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are Prior to 5.1.32 and Prior to 5.2.6. Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.0 Base Score 8.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html | x_refsource_CONFIRM | |
| http://www.securitytracker.com/id/1040202 | vdb-entry, x_refsource_SECTRACK | |
| http://www.securityfocus.com/bid/102693 | vdb-entry, x_refsource_BID |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Oracle Corporation | VM VirtualBox |
Version: unspecified < 5.1.32 Version: unspecified < 5.2.6 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T04:29:44.377Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", }, { name: "1040202", tags: [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred", ], url: "http://www.securitytracker.com/id/1040202", }, { name: "102693", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/102693", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2018-2689", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2024-10-03T19:20:26.234552Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-03T20:32:31.829Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "VM VirtualBox", vendor: "Oracle Corporation", versions: [ { lessThan: "5.1.32", status: "affected", version: "unspecified", versionType: "custom", }, { lessThan: "5.2.6", status: "affected", version: "unspecified", versionType: "custom", }, ], }, ], datePublic: "2018-01-03T00:00:00", descriptions: [ { lang: "en", value: "Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are Prior to 5.1.32 and Prior to 5.2.6. Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.0 Base Score 8.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).", }, ], problemTypes: [ { descriptions: [ { description: "Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox.", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2018-01-18T10:57:01", orgId: "43595867-4340-4103-b7a2-9a5208d29a85", shortName: "oracle", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", }, { name: "1040202", tags: [ "vdb-entry", "x_refsource_SECTRACK", ], url: "http://www.securitytracker.com/id/1040202", }, { name: "102693", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/102693", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "secalert_us@oracle.com", ID: "CVE-2018-2689", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "VM VirtualBox", version: { version_data: [ { version_affected: "<", version_value: "5.1.32", }, { version_affected: "<", version_value: "5.2.6", }, ], }, }, ], }, vendor_name: "Oracle Corporation", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are Prior to 5.1.32 and Prior to 5.2.6. Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.0 Base Score 8.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox.", }, ], }, ], }, references: { reference_data: [ { name: "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", refsource: "CONFIRM", url: "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", }, { name: "1040202", refsource: "SECTRACK", url: "http://www.securitytracker.com/id/1040202", }, { name: "102693", refsource: "BID", url: "http://www.securityfocus.com/bid/102693", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "43595867-4340-4103-b7a2-9a5208d29a85", assignerShortName: "oracle", cveId: "CVE-2018-2689", datePublished: "2018-01-18T02:00:00", dateReserved: "2017-12-15T00:00:00", dateUpdated: "2024-10-03T20:32:31.829Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2018-2676
Vulnerability from cvelistv5
Published
2018-01-18 02:00
Modified
2024-10-03 20:33
Severity ?
EPSS score ?
Summary
Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are Prior to 5.1.32 and Prior to 5.2.6. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.0 Base Score 8.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html | x_refsource_CONFIRM | |
| http://www.securitytracker.com/id/1040202 | vdb-entry, x_refsource_SECTRACK | |
| http://www.securityfocus.com/bid/102699 | vdb-entry, x_refsource_BID |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Oracle Corporation | VM VirtualBox |
Version: unspecified < 5.1.32 Version: unspecified < 5.2.6 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T04:29:42.953Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", }, { name: "1040202", tags: [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred", ], url: "http://www.securitytracker.com/id/1040202", }, { name: "102699", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/102699", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2018-2676", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2024-10-03T19:19:54.769430Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-03T20:33:57.572Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "VM VirtualBox", vendor: "Oracle Corporation", versions: [ { lessThan: "5.1.32", status: "affected", version: "unspecified", versionType: "custom", }, { lessThan: "5.2.6", status: "affected", version: "unspecified", versionType: "custom", }, ], }, ], datePublic: "2018-01-03T00:00:00", descriptions: [ { lang: "en", value: "Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are Prior to 5.1.32 and Prior to 5.2.6. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.0 Base Score 8.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).", }, ], problemTypes: [ { descriptions: [ { description: "Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox.", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2018-01-18T10:57:01", orgId: "43595867-4340-4103-b7a2-9a5208d29a85", shortName: "oracle", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", }, { name: "1040202", tags: [ "vdb-entry", "x_refsource_SECTRACK", ], url: "http://www.securitytracker.com/id/1040202", }, { name: "102699", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/102699", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "secalert_us@oracle.com", ID: "CVE-2018-2676", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "VM VirtualBox", version: { version_data: [ { version_affected: "<", version_value: "5.1.32", }, { version_affected: "<", version_value: "5.2.6", }, ], }, }, ], }, vendor_name: "Oracle Corporation", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are Prior to 5.1.32 and Prior to 5.2.6. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.0 Base Score 8.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox.", }, ], }, ], }, references: { reference_data: [ { name: "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", refsource: "CONFIRM", url: "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", }, { name: "1040202", refsource: "SECTRACK", url: "http://www.securitytracker.com/id/1040202", }, { name: "102699", refsource: "BID", url: "http://www.securityfocus.com/bid/102699", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "43595867-4340-4103-b7a2-9a5208d29a85", assignerShortName: "oracle", cveId: "CVE-2018-2676", datePublished: "2018-01-18T02:00:00", dateReserved: "2017-12-15T00:00:00", dateUpdated: "2024-10-03T20:33:57.572Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2018-2693
Vulnerability from cvelistv5
Published
2018-01-18 02:00
Modified
2024-10-03 20:31
Severity ?
EPSS score ?
Summary
Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Guest Additions). Supported versions that are affected are Prior to 5.1.32 and Prior to 5.2.6. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.0 Base Score 8.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H).
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html | x_refsource_CONFIRM | |
| http://www.securitytracker.com/id/1040202 | vdb-entry, x_refsource_SECTRACK | |
| http://www.securityfocus.com/bid/102702 | vdb-entry, x_refsource_BID |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Oracle Corporation | VM VirtualBox |
Version: unspecified < 5.1.32 Version: unspecified < 5.2.6 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T04:29:44.013Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", }, { name: "1040202", tags: [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred", ], url: "http://www.securitytracker.com/id/1040202", }, { name: "102702", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/102702", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2018-2693", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2024-10-03T19:20:05.649375Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-03T20:31:59.488Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "VM VirtualBox", vendor: "Oracle Corporation", versions: [ { lessThan: "5.1.32", status: "affected", version: "unspecified", versionType: "custom", }, { lessThan: "5.2.6", status: "affected", version: "unspecified", versionType: "custom", }, ], }, ], datePublic: "2018-01-03T00:00:00", descriptions: [ { lang: "en", value: "Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Guest Additions). Supported versions that are affected are Prior to 5.1.32 and Prior to 5.2.6. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.0 Base Score 8.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H).", }, ], problemTypes: [ { descriptions: [ { description: "Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox.", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2018-01-18T10:57:01", orgId: "43595867-4340-4103-b7a2-9a5208d29a85", shortName: "oracle", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", }, { name: "1040202", tags: [ "vdb-entry", "x_refsource_SECTRACK", ], url: "http://www.securitytracker.com/id/1040202", }, { name: "102702", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/102702", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "secalert_us@oracle.com", ID: "CVE-2018-2693", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "VM VirtualBox", version: { version_data: [ { version_affected: "<", version_value: "5.1.32", }, { version_affected: "<", version_value: "5.2.6", }, ], }, }, ], }, vendor_name: "Oracle Corporation", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Guest Additions). Supported versions that are affected are Prior to 5.1.32 and Prior to 5.2.6. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.0 Base Score 8.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H).", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox.", }, ], }, ], }, references: { reference_data: [ { name: "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", refsource: "CONFIRM", url: "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", }, { name: "1040202", refsource: "SECTRACK", url: "http://www.securitytracker.com/id/1040202", }, { name: "102702", refsource: "BID", url: "http://www.securityfocus.com/bid/102702", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "43595867-4340-4103-b7a2-9a5208d29a85", assignerShortName: "oracle", cveId: "CVE-2018-2693", datePublished: "2018-01-18T02:00:00", dateReserved: "2017-12-15T00:00:00", dateUpdated: "2024-10-03T20:31:59.488Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2017-3736
Vulnerability from cvelistv5
Published
2017-11-02 17:00
Modified
2024-09-16 20:12
Severity ?
EPSS score ?
Summary
There is a carry propagating bug in the x86_64 Montgomery squaring procedure in OpenSSL before 1.0.2m and 1.1.0 before 1.1.0g. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be very significant and likely only accessible to a limited number of attackers. An attacker would additionally need online access to an unpatched system using the target private key in a scenario with persistent DH parameters and a private key that is shared between multiple clients. This only affects processors that support the BMI1, BMI2 and ADX extensions like Intel Broadwell (5th generation) and later or AMD Ryzen.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| OpenSSL Software Foundation | OpenSSL |
Version: 1.1.0 - 1.1.0f Version: 1.0.2 - 1.0.2l |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T14:39:39.687Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20171107-0002/", }, { name: "RHSA-2018:2185", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2018:2185", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/openssl/openssl/commit/4443cf7aa0099e5ce615c18cee249fff77fb0871", }, { name: "RHSA-2018:2186", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2018:2186", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", }, { name: "RHSA-2018:2713", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2018:2713", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", }, { name: "DSA-4018", tags: [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred", ], url: "https://www.debian.org/security/2017/dsa-4018", }, { name: "GLSA-201712-03", tags: [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred", ], url: "https://security.gentoo.org/glsa/201712-03", }, { name: "RHSA-2018:0998", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2018:0998", }, { name: "RHSA-2018:2575", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2018:2575", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://www.tenable.com/security/tns-2017-15", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html", }, { name: "101666", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/101666", }, { name: "RHSA-2018:2568", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2018:2568", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://www.openssl.org/news/secadv/20171102.txt", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", }, { name: "DSA-4017", tags: [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred", ], url: "https://www.debian.org/security/2017/dsa-4017", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://www.tenable.com/security/tns-2017-14", }, { name: "FreeBSD-SA-17:11", tags: [ "vendor-advisory", "x_refsource_FREEBSD", "x_transferred", ], url: "https://security.FreeBSD.org/advisories/FreeBSD-SA-17:11.openssl.asc", }, { name: "1039727", tags: [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred", ], url: "http://www.securitytracker.com/id/1039727", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbst03881en_us", }, { name: "RHSA-2018:2187", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2018:2187", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20180117-0002/", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "OpenSSL", vendor: "OpenSSL Software Foundation", versions: [ { status: "affected", version: "1.1.0 - 1.1.0f", }, { status: "affected", version: "1.0.2 - 1.0.2l", }, ], }, ], datePublic: "2017-11-02T00:00:00", descriptions: [ { lang: "en", value: "There is a carry propagating bug in the x86_64 Montgomery squaring procedure in OpenSSL before 1.0.2m and 1.1.0 before 1.1.0g. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be very significant and likely only accessible to a limited number of attackers. An attacker would additionally need online access to an unpatched system using the target private key in a scenario with persistent DH parameters and a private key that is shared between multiple clients. This only affects processors that support the BMI1, BMI2 and ADX extensions like Intel Broadwell (5th generation) and later or AMD Ryzen.", }, ], problemTypes: [ { descriptions: [ { description: "carry-propagating bug", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2019-07-23T22:31:33", orgId: "3a12439a-ef3a-4c79-92e6-6081a721f1e5", shortName: "openssl", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "https://security.netapp.com/advisory/ntap-20171107-0002/", }, { name: "RHSA-2018:2185", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2018:2185", }, { tags: [ "x_refsource_MISC", ], url: "https://github.com/openssl/openssl/commit/4443cf7aa0099e5ce615c18cee249fff77fb0871", }, { name: "RHSA-2018:2186", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2018:2186", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", }, { name: "RHSA-2018:2713", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2018:2713", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", }, { name: "DSA-4018", tags: [ "vendor-advisory", "x_refsource_DEBIAN", ], url: "https://www.debian.org/security/2017/dsa-4018", }, { name: "GLSA-201712-03", tags: [ "vendor-advisory", "x_refsource_GENTOO", ], url: "https://security.gentoo.org/glsa/201712-03", }, { name: "RHSA-2018:0998", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2018:0998", }, { name: "RHSA-2018:2575", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2018:2575", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://www.tenable.com/security/tns-2017-15", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html", }, { name: "101666", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/101666", }, { name: "RHSA-2018:2568", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2018:2568", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://www.openssl.org/news/secadv/20171102.txt", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", }, { name: "DSA-4017", tags: [ "vendor-advisory", "x_refsource_DEBIAN", ], url: "https://www.debian.org/security/2017/dsa-4017", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://www.tenable.com/security/tns-2017-14", }, { name: "FreeBSD-SA-17:11", tags: [ "vendor-advisory", "x_refsource_FREEBSD", ], url: "https://security.FreeBSD.org/advisories/FreeBSD-SA-17:11.openssl.asc", }, { name: "1039727", tags: [ "vdb-entry", "x_refsource_SECTRACK", ], url: "http://www.securitytracker.com/id/1039727", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbst03881en_us", }, { name: "RHSA-2018:2187", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2018:2187", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://security.netapp.com/advisory/ntap-20180117-0002/", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "openssl-security@openssl.org", DATE_PUBLIC: "2017-11-02T00:00:00", ID: "CVE-2017-3736", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "OpenSSL", version: { version_data: [ { version_value: "1.1.0 - 1.1.0f", }, { version_value: "1.0.2 - 1.0.2l", }, ], }, }, ], }, vendor_name: "OpenSSL Software Foundation", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "There is a carry propagating bug in the x86_64 Montgomery squaring procedure in OpenSSL before 1.0.2m and 1.1.0 before 1.1.0g. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be very significant and likely only accessible to a limited number of attackers. An attacker would additionally need online access to an unpatched system using the target private key in a scenario with persistent DH parameters and a private key that is shared between multiple clients. This only affects processors that support the BMI1, BMI2 and ADX extensions like Intel Broadwell (5th generation) and later or AMD Ryzen.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "carry-propagating bug", }, ], }, ], }, references: { reference_data: [ { name: "https://security.netapp.com/advisory/ntap-20171107-0002/", refsource: "CONFIRM", url: "https://security.netapp.com/advisory/ntap-20171107-0002/", }, { name: "RHSA-2018:2185", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2018:2185", }, { name: "https://github.com/openssl/openssl/commit/4443cf7aa0099e5ce615c18cee249fff77fb0871", refsource: "MISC", url: "https://github.com/openssl/openssl/commit/4443cf7aa0099e5ce615c18cee249fff77fb0871", }, { name: "RHSA-2018:2186", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2018:2186", }, { name: "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", refsource: "CONFIRM", url: "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", }, { name: "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", refsource: "CONFIRM", url: "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", }, { name: "RHSA-2018:2713", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2018:2713", }, { name: "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", refsource: "CONFIRM", url: "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", }, { name: "DSA-4018", refsource: "DEBIAN", url: "https://www.debian.org/security/2017/dsa-4018", }, { name: "GLSA-201712-03", refsource: "GENTOO", url: "https://security.gentoo.org/glsa/201712-03", }, { name: "RHSA-2018:0998", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2018:0998", }, { name: "RHSA-2018:2575", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2018:2575", }, { name: "https://www.tenable.com/security/tns-2017-15", refsource: "CONFIRM", url: "https://www.tenable.com/security/tns-2017-15", }, { name: "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html", refsource: "CONFIRM", url: "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html", }, { name: "101666", refsource: "BID", url: "http://www.securityfocus.com/bid/101666", }, { name: "RHSA-2018:2568", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2018:2568", }, { name: "https://www.openssl.org/news/secadv/20171102.txt", refsource: "CONFIRM", url: "https://www.openssl.org/news/secadv/20171102.txt", }, { name: "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", refsource: "CONFIRM", url: "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", }, { name: "DSA-4017", refsource: "DEBIAN", url: "https://www.debian.org/security/2017/dsa-4017", }, { name: "https://www.tenable.com/security/tns-2017-14", refsource: "CONFIRM", url: "https://www.tenable.com/security/tns-2017-14", }, { name: "FreeBSD-SA-17:11", refsource: "FREEBSD", url: "https://security.FreeBSD.org/advisories/FreeBSD-SA-17:11.openssl.asc", }, { name: "1039727", refsource: "SECTRACK", url: "http://www.securitytracker.com/id/1039727", }, { name: "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbst03881en_us", refsource: "CONFIRM", url: "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbst03881en_us", }, { name: "RHSA-2018:2187", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2018:2187", }, { name: "https://security.netapp.com/advisory/ntap-20180117-0002/", refsource: "CONFIRM", url: "https://security.netapp.com/advisory/ntap-20180117-0002/", }, { name: "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", refsource: "MISC", url: "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", }, { name: "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", refsource: "MISC", url: "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "3a12439a-ef3a-4c79-92e6-6081a721f1e5", assignerShortName: "openssl", cveId: "CVE-2017-3736", datePublished: "2017-11-02T17:00:00Z", dateReserved: "2016-12-16T00:00:00", dateUpdated: "2024-09-16T20:12:39.274Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2018-2687
Vulnerability from cvelistv5
Published
2018-01-18 02:00
Modified
2024-10-03 20:32
Severity ?
EPSS score ?
Summary
Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are Prior to 5.1.32 and Prior to 5.2.6. Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.0 Base Score 8.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html | x_refsource_CONFIRM | |
| http://www.securitytracker.com/id/1040202 | vdb-entry, x_refsource_SECTRACK | |
| http://www.securityfocus.com/bid/102691 | vdb-entry, x_refsource_BID |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Oracle Corporation | VM VirtualBox |
Version: unspecified < 5.1.32 Version: unspecified < 5.2.6 |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-05T04:29:44.041Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", }, { name: "1040202", tags: [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred", ], url: "http://www.securitytracker.com/id/1040202", }, { name: "102691", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/102691", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2018-2687", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2024-10-03T19:20:07.069376Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-03T20:32:43.910Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "VM VirtualBox", vendor: "Oracle Corporation", versions: [ { lessThan: "5.1.32", status: "affected", version: "unspecified", versionType: "custom", }, { lessThan: "5.2.6", status: "affected", version: "unspecified", versionType: "custom", }, ], }, ], datePublic: "2018-01-03T00:00:00", descriptions: [ { lang: "en", value: "Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are Prior to 5.1.32 and Prior to 5.2.6. Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.0 Base Score 8.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).", }, ], problemTypes: [ { descriptions: [ { description: "Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox.", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2018-01-18T10:57:01", orgId: "43595867-4340-4103-b7a2-9a5208d29a85", shortName: "oracle", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", }, { name: "1040202", tags: [ "vdb-entry", "x_refsource_SECTRACK", ], url: "http://www.securitytracker.com/id/1040202", }, { name: "102691", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/102691", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "secalert_us@oracle.com", ID: "CVE-2018-2687", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "VM VirtualBox", version: { version_data: [ { version_affected: "<", version_value: "5.1.32", }, { version_affected: "<", version_value: "5.2.6", }, ], }, }, ], }, vendor_name: "Oracle Corporation", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core). Supported versions that are affected are Prior to 5.1.32 and Prior to 5.2.6. Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.0 Base Score 8.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox.", }, ], }, ], }, references: { reference_data: [ { name: "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", refsource: "CONFIRM", url: "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", }, { name: "1040202", refsource: "SECTRACK", url: "http://www.securitytracker.com/id/1040202", }, { name: "102691", refsource: "BID", url: "http://www.securityfocus.com/bid/102691", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "43595867-4340-4103-b7a2-9a5208d29a85", assignerShortName: "oracle", cveId: "CVE-2018-2687", datePublished: "2018-01-18T02:00:00", dateReserved: "2017-12-15T00:00:00", dateUpdated: "2024-10-03T20:32:43.910Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
Log in or create an account to share your comment.
Security Advisory comment format.
This schema specifies the format of a comment related to a security advisory.
UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).
Loading…
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.