Skip to main content
BlogCloud OverviewsVENOM (CVE-2015-3456) Vulnerability and Linode

VENOM (CVE-2015-3456) Vulnerability and Linode

A new security advisory, CVE-2015-3456 called VENOM (Virtualized Environment Neglected Operations Manipulation), was released today. Our Security Team has thoroughly reviewed this vulnerability and we wanted to take a moment to reassure Linode customers that this vulnerability does not affect any part of the Linode infrastructure and no action is required on your part.

What is VENOM?

VENOM is a security vulnerability that exploits virtual floppy drive code in QEMU that emulates a floppy disk controller. On certain platforms, this code can be exploited which allows attackers to escape from a Virtual Machine guest and gain privileged access to the host.

Why is Linode not affected?

In XSA-133, which is the Xen Security Advisory that provides details related to this vulnerability, it states that “Systems running only x86 PV guests are not vulnerable”. This vulnerability applies to QEMU guests on KVM and XEN HVM Guests. Linode only uses XEN PV guests which are not affected by this vulnerability. Specifically, XEN PV guests do not require the use of QEMU.

What do I need to do?

Fortunately, nothing needs to be done at this time to your Linode. The Linode Security Team constantly monitors all CVE’s and XSA’s to ensure that our internal infrastructure and customer Linode’s are as secure as possible.


Comments (6)

  1. Author Photo

    What about the KVM beta?

  2. Author Photo

    Hi Matt, Thanks for the question!

    We have already patched the version of QEMU that is being used by KVM beta customers so it is also no longer an issue.

    Best,
    Lev

  3. Author Photo

    Good job, guys.

  4. Author Photo

    James, there are clearly too many of us on the internet.

  5. Author Photo

    Happy customer here. Just became aware of the issue. Came by to check relevance for Linode users. Left an even-happier customer. 😉

Leave a Reply

Your email address will not be published. Required fields are marked *