The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.
EGI CSIRT:Alerts/VENOM-2015-05-13
Jump to navigation
Jump to search
| EGI-CSIRT web site | EGI-CSIRT Public wiki | EGI-CSIRT Contacts | EGI-CSIRT Activities | EGI-CSIRT Private wiki |
** WHITE information - Unlimited distribution allowed ** ** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** EGI SVG ADVISORY [EGI-SVG-CSIRT-2015-05-13] Title: EGI SVG and CSIRT Advisory potentially "Critical" risk "VENOM: QEMU vulnerability (CVE-2015-3456)" Date: 2015-05-13 Updated: URL: https://wiki.egi.eu/wiki/EGI_CSIRT:Alerts/VENOM-2015-05-13 Introduction ============ A serious vulnerability has been found allowing (in the worst case scenario) a guest to host exit with (in most cases) root privileges. All x86 and x86-64 based HVM Xen and QEMU/KVM guests are affected. Patches are available for some software but not all, see [R1-R7] More information will be provided later, including which situations in EGI are likely to be vulnerable. Details ======= For a description of this vulnerability see [R 1] A description by RedHat is in [R 2] Risk category ============= Although there is currently no publicly known exploit that would make use of this vulnerability, EGI Sites are strongly adviced to follow the recommendations below. Sites should be aware they may be asked on short notice to update and/or carry out other mitigating action urgently. Affected software ================= For Red Hat ----------- This has been fixed for various versions see [R 3] For Debian ----------- See [R 4], [R 7] For Ubuntu ----------- At time of writing updates are not available yet [R 5] Xen ---- See [R 6] Mitigation ========== N/A. Component installation information ================================== See software providers information. Recommendations =============== Sites are recommended to update relevant components, and follow the instructions provided by the software vendors to mitigate the risk. Credit ====== This vulnerability was discovered by Jason Geffner CrowdStrike Senior Security Researcher and SVG alerted by Sven Gabriel the EGI Security officer [R 1] References ========== [R 1] http://venom.crowdstrike.com/ [R 2] https://securityblog.redhat.com/2015/05/13/venom-dont-get-bitten/ [R 3] https://access.redhat.com/articles/1444903 [R 4] https://security-tracker.debian.org/tracker/CVE-2015-3456 [R 5] https://bugs.launchpad.net/bugs/cve/2015-3456 [R 6] Xen info http://seclists.org/oss-sec/2015/q2/421 [R 7] Debian https://lists.debian.org/debian-security-announce/2015/msg00148.html Comments ======== Comments or questions should be sent to svg-rat@mailman.egi.eu We are currently revising the vulnerability issue handling procedure so suggestions and comments are welcome. Timeline ======== Yyyy-mm-dd 2015-05-13 SVG alerted to this issue by Sven Gabriel the EGI Security officer 2015-05-13 All those who looked agreed on 'Critical' risk 2015-05-13 Advisory/alert drafted and sent to sites