[German]Oracle has released an update for the virtualization solution Virtualbox on November 9, 2018. This updates VirtualBox to version 5.2.22. But it’s unclear, whether a 0-day vulnerability in previous builds has been fixed.
What’s changed in VirtualBox 5.2.22
The new version 5.2.22 is a maintenance update. According to the changelog the following has been fixed, changed or improved in VirtualBox 5.2.22.
- Audio: fixed a regression in the Core Audio backend causing a hang when returning from host sleep when processing input buffers
- Audio: fixed a potential crash in the HDA emulation if a stream has no valid mixer sink attached — thanks to Rink Springer (rink@…)
- Windows hosts: fixed an incompatibility with recent versions of Windows 10 (bug #17977)
- Windows hosts: fixed a number of brigded networking driver crashes (bug #18046)
- Linux Additions: disable 3D for recent guests using Wayland (bug #18116)
- Linux Additions: fix for rebuilding kernel modules for new kernels on RPM guests
- Linux Additions: further fixes for Linux 4.19
- Linux Additions: fixed errors rebuilding initrd files with dracut on EL 6 (bug 18055#)
- Linux Additions: fixed 5.2.20 regression: guests not remembering the screen size after shutdown and restart (bug #18078)
The new version of the virtualization software can be downloaded for Windows, Mac OSX and Linux from this download page. Please note that an updated version of the VirtualBox Oracle VM VirtualBox Extension Pack must also be downloaded and installed. VirtualBox can be used freely, but there are special license terms for the Extension Pack.
Unclear whether 0-day exploit is fixed
On November 8, 2018 I reported a 0-day exploit in Virtualbox up to version 5.2.20 (see my blog post VirtualBox: Exploit for 0-day vulnerability). This allows guests with administrator privileges to break out of the VM via the network adapter and take over the host. I’m not sure if the update to VirtualBox version 5.2.22 fixes this 0-day vulnerability. On Github, this commenter has the same question. Therefore, if someone is still using VirtualBox, I recommend that you continue to use the mitigation solution described in my blog post.