VENOM

Differences between revisions 8 and 9
Revision 8 as of 2015-05-13 15:45:41
Size: 2056
Editor: tyhicks
Comment:
Revision 9 as of 2015-05-13 15:52:49
Size: 2475
Editor: tyhicks
Comment:
Deletions are marked like this. Additions are marked like this.
Line 5: Line 5:

This issue is mitigated in a couple ways on Ubuntu. The QEMU process in the host environment is owned by a special libvirt-qemu user which helps to limit access to resources in the host environment. Additionally, the QEMU process is confined by an !AppArmor profile that is intended to lessen the impact of a vulnerability such as VENOM by reducing the host environment's attack surface.
Line 11: Line 13:
A fix for this issue has been [[ http://git.qemu.org/?p=qemu.git;a=commitdiff;h=e907746266721f305d67bc0718795fedee2e824c | committed ]] in the upstream QEMU source code tracker. Ubuntu 12.04 LTS, Ubuntu 14.04 LTS, Ubuntu 14.10, and Ubuntu 15.04 are affected. The Ubuntu Security Team is in the process of testing updated packages. Security updates will be soon be available. A fix for this issue has been [[ http://git.qemu.org/?p=qemu.git;a=commitdiff;h=e907746266721f305d67bc0718795fedee2e824c | committed ]] in the upstream QEMU source code tracker. Ubuntu 12.04 LTS, Ubuntu 14.04 LTS, Ubuntu 14.10, and Ubuntu 15.04 are affected. The Ubuntu Security Team is in the process of testing updated packages. Ubuntu security updates will be be available after testing is complete.

QEMU buffer overflow in floppy disk controller (CVE-2015-3456 aka VENOM)

It was discovered that a buffer overflow existed in the virtual floppy disk controller of QEMU. An attacker could use this issue to cause QEMU to crash or execute arbitrary code in the host's QEMU process.

This issue is mitigated in a couple ways on Ubuntu. The QEMU process in the host environment is owned by a special libvirt-qemu user which helps to limit access to resources in the host environment. Additionally, the QEMU process is confined by an AppArmor profile that is intended to lessen the impact of a vulnerability such as VENOM by reducing the host environment's attack surface.

A fix for this issue has been committed in the upstream QEMU source code tracker. Ubuntu 12.04 LTS, Ubuntu 14.04 LTS, Ubuntu 14.10, and Ubuntu 15.04 are affected. The Ubuntu Security Team is in the process of testing updated packages. Ubuntu security updates will be be available after testing is complete.

Timeline

  • 2015 Apr 30: The Ubuntu Security Team is notified by CrowdStrike via the linux-distros list, with a pending CRD of 2015-05-13 12:00 UTC

  • 2015 Apr 30: Issue became public via CrowdStrike's VENOM page and the notification email sent to the oss-security mailing list

Public Cloud Archive updates

  • Ubuntu Cloud Archive Packages: <IN PROGRESS>

CategoryTemplate

SecurityTeam/KnowledgeBase/VENOM (last edited 2015-05-14 06:19:56 by sbeattie)