Vagrant: NIC 'vulnerability with the installed version of VirtualBox' even when running 5.2.22

Created on 4 Dec 2018 · 5Comments · Source: hashicorp/vagrant

Vagrant version

$ vagrant --version
Vagrant 2.2.2

Host operating system

macOS 10.14

Guest operating system

Linux (all varieties, but in this specific case Ubuntu 16.04).

Vagrantfile

Using Drupal VM's Vagrantfile, but reproducible with even a simple one after vagrant init.

Debug output

$ vagrant up
Bringing machine 'test' up with 'virtualbox' provider...
==> mis: Checking if box 'geerlingguy/drupal-vm' is up to date...
==> mis: Clearing any previously set forwarded ports...
==> mis: Vagrant has detected a configuration issue which exposes a
==> mis: vulnerability with the installed version of VirtualBox. The
==> mis: current guest is configured to use an E1000 NIC type for a
==> mis: network adapter which is vulnerable in this version of VirtualBox.
==> mis: Ensure the guest is trusted to use this configuration or update
==> mis: the NIC type using one of the methods below:
==> mis: 
==> mis:   https://www.vagrantup.com/docs/virtualbox/configuration.html#default-nic-type
==> mis:   https://www.vagrantup.com/docs/virtualbox/networking.html#virtualbox-nic-type
==> mis: Clearing any previously set network interfaces...
...

Expected behavior

The warning about the E1000 NIC should not be displayed, because I am running VirtualBox 5.2.22, which contains the fix for that vulnerability, at least according to https://github.com/MorteNoir1/virtualbox_e1000_0day/issues/12

Actual behavior

The warning about the E1000 NIC vulnerability is displayed.

Steps to reproduce

Install Vagrant 2.2.2 and VirtualBox 5.2.22.
vagrant init and vagrant up

References

(Note that in the last issue linked above, it was mentioned "warning will go away after upgrading virtualbox", but that seems to not be the case.)

Source

geerlingguy

👍1

Most helpful comment

@geerlingguy Yep, thanks! It was my mistake when I was going through the vbox source code and seeing where the changeset ended up. I have a PR staged to fix the requirement so it will stop warning on 5.2.22.

Thanks again!

chrisroberts on 7 Dec 2018

👍6

All 5 comments

It looks like the warning was added 8 days ago in https://github.com/hashicorp/vagrant/commit/d589aa9f81003ddeb07ff2e82231caa37173265e

geerlingguy on 4 Dec 2018

And it looks like this line defines 5.2.22 as a vulnerable version:

https://github.com/hashicorp/vagrant/commit/d589aa9f81003ddeb07ff2e82231caa37173265e#diff-8b80dd35d96f38ecfec8bc57f4320e49R14

Should that condition be <= 5.2.20 instead?

geerlingguy on 4 Dec 2018

👍2

Thanks again!

chrisroberts on 7 Dec 2018

👍6

@chrisroberts What did you do to fix the warning? Can you tell me detail?

fengliang2011 on 11 Sep 2019

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.