References for VirtualBox licensing issues here:
Whonix ™ Virtualization Platforms
On VirtualBox security, ticket VirtualBox 5.2.18 vulnerable to spectre/meltdown despite microcode being installed does look really bad due to non-responsiveness and non-progress.
To learn more, see: VirtualBox 5.2.18 vulnerable to spectre/meltdown despite microcode being installed and the associated VirtualBox forum discussion. [2] Users must patiently wait for VirtualBox developers to fix this bug.
VirtualBox version 5.2.18
or above is required since only that version comes with Spectre/Meltdown defenses. See Whonix vulerable due to missing processor microcode packages? spectre / meltdown / retpoline / L1 Terminal Fault (L1TF) - #22 by Patrick.
Also see the following Whonix forum discussion: Whonix vulerable due to missing processor microcode packages? spectre / meltdown / retpoline / L1 Terminal Fault (L1TF)
Perhaps this feedback can be used to improve chapter Whonix ™ for KVM? @HulaHoop