jerryl

VENOM (CVE-2015-3456) - The latest Internet security panic

Discussion created by jerryl on May 13, 2015
Latest reply on Aug 29, 2016 by julie.gordon

Today's hot security vulnerability - described by some as "bigger than Heartbleed" - is CVE-2015-3456 (VENOM).  How does it affect VMTurbo?  Brief answer:  The bug is unrelated to anything VMTurbo itself does, and VMTurbo administrators need do nothing specific to deal with VENOM.  If you want to know the details ... read on.

 

VENOM is an old (2004!) bug in QEMU, which is a component of open-source hypervisors including Xen, KVM, and Oracle VM.  Processes running within guest operating systems under the control of these hypervisors can leverage the bug to crash, and perhaps gain control over, the hypervisor and the physical machine on which it runs.  Note that OpenStack platforms typically rely on KVM and are vulnerable.  VMware, Microsoft Hyper-V, and Bochs hypervisors are not vulnerable.

 

VMTurbo ships pre-configured guest operating systems which run under a variety of hypervisors, some affected by VENOM, some not.  VMTurbo does not ship the hypervisors themselves.  VENOM is not a bug in any VMTurbo product, or in the operating system under which it runs.  Nothing can be done within the guests themselves, much less the applications running within those guests, to prevent potential exploitation of the bug.

 

Patches are available for VENOM on all affected hypervisors, and it is prudent for any customers who have not already done so to patch their hypervisors as soon as possible.  For convenience, here are some relevant resources:

 

  1. Official Red Hat description (covering OpenStack and KVM), including links to patches:  https://access.redhat.com/articles/1444903
  2. Official Xen description, including links to patches:  http://xenbits.xen.org/xsa/advisory-133.html
  3. Announcement by the discoverer of the bug, with many details and links to patches:  http://venom.crowdstrike.com
  4. Additional coverage of details on the bug:  http://www.tripwire.com/state-of-security/latest-security-news/bigger-than-heartbleed-venom-leaves-millions-of-virtual-machines-vulnerable/

 

                                                        -- Jerry

 

Outcomes