CVE-2015-3456, aka “Venom”, is a security vulnerability in the floppy drive emulation used by the Qemu, KVM and Xen virtualization platforms.
This vulnerability potentially allows an attacker to escape from the confines of an affected virtual machine, gaining access to execute code on the host system.
We are not aware of any code to exploit this vulnerability that is in the wild right now.
Is my virtual machine affected?
Yes, both BigV and legacy virtual machines are affected.
Given how much control this vulnerability could give an attacker, we’re proactively updating both BigV and the legacy virtual machine platform to eliminate this vulnerability.
Do I need to do anything?
No. We are patching BigV to eliminate this vulnerability.
We are in the process of migrating customers’ virtual machines to hosts that have been patched to eliminate this vulnerability.
You will not need to reboot your BigV virtual machine, nor should you see any impact on running services.
We will update this thread when the live-migration is complete.
Legacy VM users
Your legacy virtual machine must be rebooted as we have now deployed a patch to the platform.
Please reboot your legacy virtual machine as soon possible. Machines that have not been rebooted will be automatically rebooted starting from Friday 15 May 2015, 0700 UTC +1.
Dedicated servers are only affected if you are using
xen to run your own virtual machines.
In this case, we strongly recommend you apply the latest package updates on your dedicated server as early as possible. If you are a managed customer, we can assist – please email firstname.lastname@example.org.
Xen users: see http://xenbits.xen.org/xsa/advisory-133.html for more information.