{"id":"MGASA-2021-0197","summary":"Updated virtualbox packages fix security vulnerabilities","details":"This update provides the upstream 6.1.20 maintenance release that fixes\nat least the following security vulnerabilities:\n\nA difficult to exploit vulnerability in the Oracle VM VirtualBox\n(component: Core) prior to 6.1.20 allows high privileged attacker with\nlogon to the infrastructure where Oracle VM VirtualBox executes to\ncompromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM\nVirtualBox, attacks may significantly impact additional products.\nSuccessful attacks of this vulnerability can result in takeover of Oracle\nVM VirtualBox (CVE-2021-2145, CVE-2021-2309, CVE-2021-2310).\n\nAn easily exploitable vulnerability in the Oracle VM VirtualBox\n(component: Core) prior to 6.1.20 allows high privileged attacker\nwith logon to the infrastructure where Oracle VM VirtualBox executes\nto compromise Oracle VM VirtualBox. While the vulnerability is in Oracle\nVM VirtualBox, attacks may significantly impact additional products.\nSuccessful attacks of this vulnerability can result in takeover of Oracle\nVM VirtualBox (CVE-2021-2250).\n\nAn easily exploitable vulnerability in the Oracle VM VirtualBox\n(component: Core) prior to 6.1.20 allows low privileged attacker with\nlogon to the infrastructure where Oracle VM VirtualBox executes to\ncompromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM\nVirtualBox, attacks may significantly impact additional products.\nSuccessful attacks of this vulnerability can result in unauthorized\ncreation, deletion or modification access to critical data or all Oracle\nVM VirtualBox accessible data as well as unauthorized access to critical\ndata or complete access to all Oracle VM VirtualBox accessible data \n(CVE-2021-2264).\n\nAn easily exploitable vulnerability in the Oracle VM VirtualBox\n(component: Core) prior to 6.1.20 allows high privileged attacker with\nlogon to the infrastructure where Oracle VM VirtualBox executes to\ncompromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM\nVirtualBox, attacks may significantly impact additional products.\nSuccessful attacks of this vulnerability can result in unauthorized access\nto critical data or complete access to all Oracle VM VirtualBox accessible\ndata (CVE-2021-2266, CVE-2021-2306).\n\nA difficult to exploit vulnerability in the Oracle VM VirtualBox\n(component: Core) prior to 6.1.20 allows unauthenticated attacker with\nnetwork access via RDP to compromise Oracle VM VirtualBox. Successful\nattacks of this vulnerability can result in takeover of Oracle VM\nVirtualBox (CVE-2021-2279).\n\nAn easily exploitable vulnerability in the Oracle VM VirtualBox\n(component: Core) prior to 6.1.20 allows unauthenticated attacker with\nlogon to the infrastructure where Oracle VM VirtualBox executes to\ncompromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM\nVirtualBox, attacks may significantly impact additional products.\nSuccessful attacks of this vulnerability can result in unauthorized access\nto critical data or complete access to all Oracle VM VirtualBox accessible\ndata (CVE-2021-2280, CVE-2021-2282, CVE-2021-2283, CVE-2021-2284,\nCVE-2021-2285, CVE-2021-2287).\n\nAn easily exploitable vulnerability in the Oracle VM VirtualBox\n(component: Core) prior to 6.1.20 allows unauthenticated attacker with\nlogon to the infrastructure where Oracle VM VirtualBox executes to\ncompromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM\nVirtualBox, attacks may significantly impact additional products.\nSuccessful attacks of this vulnerability can result in unauthorized\ncreation, deletion or modification access to critical data or all Oracle\nVM VirtualBox accessible data. (CVE-2021-2281, CVE-2021-2284,\nCVE-2021-2286).\n\nAn easily exploitable vulnerability in the Oracle VM VirtualBox\n(component: Core) prior to 6.1.20 allows low privileged attacker with\nlogon to the infrastructure where Oracle VM VirtualBox executes to\ncompromise Oracle VM VirtualBox. Successful attacks of this vulnerability\ncan result in unauthorized access to critical data or complete access to\nall Oracle VM VirtualBox accessible data (CVE-2021-2291).\n\nAn easily exploitable vulnerability in the Oracle VM VirtualBox\n(component: Core) prior to 6.1.20 allows high privileged attacker with\nlogon to the infrastructure where Oracle VM VirtualBox executes to\ncompromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM\nVirtualBox, attacks may significantly impact additional products.\nSuccessful attacks of this vulnerability can result in unauthorized access\nto critical data or complete access to all Oracle VM VirtualBox accessible\ndata (CVE-2021-2296, CVE-2021-2297).\n\nThis update also fixes the following issues:\n- fixes a zombie spawning process for Virtualbox (mga#27362)\n- adds a workaround for a non-working file selection dialog with Plasma\n  (Mageia 8 only, mga#27433)\n- fixes installing the packaged Oracle VBoxDTrace Extension Pack (mga#27936)\n- removes a broken VBoxREM.so symlink that belongs to a feature not supported\n  in virtualbox 6.1 series (mga#28734).\n\nFor other upstream fixes in this update, see the referenced changelog.\n","modified":"2026-04-16T04:41:45.349796601Z","published":"2021-04-23T22:53:14Z","upstream":["CVE-2021-2145","CVE-2021-2250","CVE-2021-2264","CVE-2021-2266","CVE-2021-2279","CVE-2021-2280","CVE-2021-2281","CVE-2021-2282","CVE-2021-2283","CVE-2021-2284","CVE-2021-2285","CVE-2021-2286","CVE-2021-2287","CVE-2021-2291","CVE-2021-2296","CVE-2021-2297","CVE-2021-2306","CVE-2021-2309","CVE-2021-2310"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2021-0197.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=28828"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=27362"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=27433"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=27936"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=28734"},{"type":"WEB","url":"https://www.oracle.com/security-alerts/cpuapr2021.html#AppendixOVIR"},{"type":"WEB","url":"https://www.virtualbox.org/wiki/Changelog"}],"affected":[{"package":{"name":"virtualbox","ecosystem":"Mageia:7","purl":"pkg:rpm/mageia/virtualbox?arch=source&distro=mageia-7"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"6.1.20-1.mga7"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2021-0197.json"}},{"package":{"name":"kmod-virtualbox","ecosystem":"Mageia:7","purl":"pkg:rpm/mageia/kmod-virtualbox?arch=source&distro=mageia-7"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"6.1.20-1.mga7"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2021-0197.json"}},{"package":{"name":"virtualbox","ecosystem":"Mageia:8","purl":"pkg:rpm/mageia/virtualbox?arch=source&distro=mageia-8"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"6.1.20-1.1.mga8"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2021-0197.json"}},{"package":{"name":"kmod-virtualbox","ecosystem":"Mageia:8","purl":"pkg:rpm/mageia/kmod-virtualbox?arch=source&distro=mageia-8"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"6.1.20-1.1.mga8"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2021-0197.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}