Access to the affected Oracle VM VirtualBox system must be gained to exploit this vulnerability.
Impact Low privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes.
Assume that an attacker has gained access to the affected Oracle VM VirtualBox system. In order to exploit this vulnerability, an attacker must be able to run code in the context of the domain user (not root). Depending on the operating system, this may be possible via local user login, via remote access, etc. If the operating system supports it, then the attacker may be able to run code in the context of the Oracle VM VirtualBox domain user. This will permit the attacker to obtain access to data that would otherwise be protected by password. Workarounds There are no workarounds other than ensuring that the Oracle VM VirtualBox system is not in a accessible state by non-privileged user. Alternatively, ensure that the Oracle VM VirtualBox system is not in a accessible state by privileged user. Fix Information For Oracle VM VirtualBox 6.1.32 and later, this issue has been fixed by updating the version of the Oracle VM VirtualBox component to 6.1.32 or later.
CVE-2019-3832 TZR - Apache ZF2 before 2.9.10, 3.0 before 3.0.2, 3.1 before 3.1.0, 3.2 before 3.2.0, and 3.3 before 3.
The TZR Apache module is vulnerable to a remote code execution vulnerability
Impact An attacker who can intercept and modify traffic between a victim and another host on the same network may be able to exploit this vulnerability.
Assume that an attacker is capable of intercepting and modifying traffic between a victim and another host on the same network. In order to exploit this vulnerability, the attacker must be able to run code on the affected system. Depending on the operating system, this may be possible via local user login, via remote access, etc. If the operating system supports it, then the attacker may be able to run code in the context of the Apache ZF2 domain user (not root). This will permit the attacker to obtain access to data that would otherwise be protected by password. Workarounds There are no workarounds other than ensuring that Apache ZF2 is not installed, or ensuring that it is not running. Fix Information For Apache ZF2 2.9.10 and later, this issue has been fixed by updating the version of Apache ZF2 component to 2.9.10 or later.
TZR - Time Zone Reflection Denial of Service Vulnerabi
The vulnerability is caused due to an error in the logic of how UTC (Coordinated Universal Time) offsets are handled. This can be exploited by processing a specially crafted request that contains an offset of 0, which causes the application to enter an infinite loop, consuming all available CPU and memory resources.
TZR was not correctly checking whether a time zone offset was negative for certain calls. The time zone reflection denial of service vulnerability fix was applied to TZR by updating it to version 2.9.10 or later on September 12th, 2019 and 3.0 before 3.0.2 or 3.1 before 3.1 on December 28th, 2019, and introducing a check for negative offsets for certain time zone reflection calls on these versions as well as 3.2 before 3.2 and 3.3 before 3.3 on December 28th, 2019
The TZR Time Zone Library Vulnerability
A vulnerability in the Time Zone Library (TZL) of Apache Zend Framework 2 (Apache ZF2) before 2.9.10, 3.0 before 3.0.2, 3.1 before 3.1.0, 3.2 before 3.2.0, and 3.3 before 3.3 allows an unauthenticated user to gain access to vulnerable systems via a specially crafted request that can lead to arbitrary code execution on the system
The vulnerability affects the timezone library which is used by Apache Zend Framework 2 components such as date_sunrise and date_sunset
TZR (Time Zone Resolver) is an Apache ZF2 module
This module provides fast access to the current time zone for a given IANA time zone code. It is intended to be used in formulae and other computations.
The default system time zone is set by the operating system, but this module allows for a user-defined time zone to be used.
Timeline
Published on: 01/19/2022 12:15:00 UTC
Last modified on: 01/25/2022 04:00:00 UTC