There is a serious vulnerability in the QEMU hardware emulator that the Xen and KVM hypervisor uses which allows remote memory corruption and possible exposure to adjacent VM’s running on the same platform. The vulnerability has been dubbed Venom, short for virtualized environment neglected operations manipulation. This bug has been in existence since 2004 however was recently discovered on 05/13/2015 by Jason Geffner of CrowdStrike. Here is the official CVE description for CVE-2015-3456:
The Floppy Disk Controller (FDC) in QEMU, as used in Xen 4.5.x and earlier and KVM, allows local guest users to cause a denial of service (out-of-bounds write and guest crash) or possibly execute arbitrary code via the (1) FD_CMD_READ_ID, (2) FD_CMD_DRIVE_SPECIFICATION_COMMAND, or other unspecified commands, aka VENOM.
Oracle VM for x86 (among other hypervisors) is vulnerable depending on your configuration. The reason this is such a dangerous exploit is due to the fact that it’s vulnerable with the default configuration of OVM. Most other exploits have only been possible with non-default configurations in the past. One thing to note: this bug only affects you if you have HVM (Hardware Virtualized Machine) virtual machines that use the emulated floppy driver code. If you have only PV (ParaVirtualized) vm’s then you are not exposed.
I am attempting to contact Oracle to find out when (if not already) a patch will be available for download. However I suspect it may be a few days to possibly weeks before they are released as they have to back port all the different versions of Xen with a patched QEMU in the assorted releases of OVM that are currently supported.
I will post an update to this entry when I get more information. For now, here are the patches that I have been able to find:
It should be noted that installing the patch will require a reboot of all VM’s on the affected platform. ALso, VMware, Microsoft Hyper-V, and Bochs hypervisors are not affected since they don’t use QEMU.
*** UPDATE ***
I opened a case with Oracle Support and got this response:
With Oracle VM we don’t allow / expose the Virtual Floppy controller so it’s a non-issue.
” For the issue you need a floppy configured for the guest. No floppy, no problem. ”
I’ve been given half accurate information before and I don’t have official confirmation from Oracle other than this. If I find out anything that conflicts with the statement above I’ll be sure to update this post.
*** UPDATE #2 ***
So it seems my concern was warranted after all. I just received an email basically stating that OVM 2.2, 3.2 and 3.3 are all exposed and require patches after all. So far, here’s the relevant information from InfoDOC 2010871.1 on what components need to be patched:
I’m guessing you may need to manually update the specific packages called out above to fix the problem in the short term. Longer term- I’m sure Oracle will come out with a patch/update that will fix the problem. Stay tuned for a post on how to manually update your systems and how to verify that you’re no longer vulnerable.
*** UPDATE #3 ***
Oracle has just released OVM 3.3.3 which fixes the venom bug.