CVE-2017-3332 Oracle CVE debrief

Who should care

Administrators and operators running Oracle VM VirtualBox on systems where untrusted or low-privileged users can log in, especially environments that rely on VirtualBox for development, testing, or shared infrastructure.

Technical summary

The supplied NVD record rates this issue CVSS v3.0 8.4 (AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H). The vulnerability is described as being in Oracle VM VirtualBox SVGA Emulation and affecting supported versions prior to 5.0.32 and prior to 5.1.14. The documented impact is loss of integrity and availability, including unauthorized creation, deletion, or modification of data and a hang or repeatable crash of VirtualBox.

Defensive priority

High

Recommended defensive actions

• Upgrade Oracle VM VirtualBox to a fixed release at or above the versions stated in the Oracle advisory and NVD record.
• Review systems where low-privileged local users can log in and restrict access where VirtualBox is installed.
• Prioritize patching on shared workstations, lab hosts, and other multi-user systems that run VirtualBox.
• Monitor Oracle security advisories and NVD updates for any additional version-scope clarifications.

Evidence notes

The supplied CVE description states affected versions are VirtualBox prior to 5.0.32 and prior to 5.1.14. The NVD metadata in the supplied source also lists vulnerable CPE entries for 5.0.30 and 5.1.12. CVSS vector supplied by NVD is CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H. No exploit details beyond the public record are included here.

Official resources