New! Vulnerability Priority Rating (VPR)
Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it's different from CVSS.
VPR Score: 7.3
SynopsisAn application installed on the remote host is affected by multiple vulnerabilities.
DescriptionThe version of the Oracle VM VirtualBox application installed on the remote host is 5.0.x prior to 5.0.28 or 5.1.x prior to 5.1.8. It is, therefore, affected by multiple vulnerabilities :
- Multiple unspecified flaws exist in the Core subcomponent that allow a local attacker to gain elevated privileges. (CVE-2016-5501, CVE-2016-5538)
- An unspecified flaw exists in the VirtualBox Remote Desktop Extension (VRDE) subcomponent that allows an unauthenticated, remote attacker to impact confidentiality and integrity. (CVE-2016-5605)
- Multiple unspecified flaws exist in the Core subcomponent that allow a local attacker to cause a denial of service condition. (CVE-2016-5608, CVE-2016-5613)
- An unspecified flaw exists in the Core subcomponent that allows a local attacker to impact on integrity and availability. (CVE-2016-5610)
- An unspecified flaw exists in the Core subcomponent that allows a local attacker to disclose sensitive information. (CVE-2016-5611)
- A flaw exists in the OpenSSL subcomponent, specifically within the ssl_parse_clienthello_tlsext() function in t1_lib.c due, to improper handling of overly large OCSP Status Request extensions from clients. An unauthenticated, remote attacker can exploit this, via large OCSP Status Request extensions, to exhaust memory resources, resulting in a denial of service condition.
SolutionUpgrade to Oracle VM VirtualBox version 5.0.28 / 5.1.8 or later as referenced in the October 2016 Oracle Critical Patch Update advisory.