A new security advisory, CVE-2015-3456 called VENOM (Virtualized Environment Neglected Operations Manipulation), was released today. Our Security Team has thoroughly reviewed this vulnerability and we wanted to take a moment to reassure Linode customers that this vulnerability does not affect any part of the Linode infrastructure and no action is required on your part.
What is VENOM?
VENOM is a security vulnerability that exploits virtual floppy drive code in QEMU that emulates a floppy disk controller. On certain platforms, this code can be exploited which allows attackers to escape from a Virtual Machine guest and gain privileged access to the host.
Why is Linode not affected?
In XSA-133, which is the Xen Security Advisory that provides details related to this vulnerability, it states that “Systems running only x86 PV guests are not vulnerable”. This vulnerability applies to QEMU guests on KVM and XEN HVM Guests. Linode only uses XEN PV guests which are not affected by this vulnerability. Specifically, XEN PV guests do not require the use of QEMU.
What do I need to do?
Fortunately, nothing needs to be done at this time to your Linode. The Linode Security Team constantly monitors all CVE’s and XSA’s to ensure that our internal infrastructure and customer Linode’s are as secure as possible.
What about the KVM beta?
Hi Matt, Thanks for the question!
We have already patched the version of QEMU that is being used by KVM beta customers so it is also no longer an issue.
Good job, guys.
Thanks a lot James!
James, there are clearly too many of us on the internet.
Happy customer here. Just became aware of the issue. Came by to check relevance for Linode users. Left an even-happier customer. 😉