CVE-2015-3456 (aka VENOM)

Announce: venom.crowdstrike.com Affects: versions through J-1.4.0

Description: An attacker with root priviliged in a guest instance (either a malicious cloud user or through a remote access to the vm), can exploit a flaw in the Qemu hypervisor and potencially execute code on the compute node resulting in a vm escape.

Am I affected ?

If you have untrusted cloud user or hosting internet facing application then you are at risk.

How to get protected from VENOM ?

In order to get an early fix and avoid a full upgrade of the plateform, here is a simple procedure to apply manually on each compute node:

1/ Activate package manager::

# edeploy activate-pkgmngr

2/ Register to Red Hat CDN. (Please read this documentation)

3/ Update the Qemu package::

# yum update qemu-kvm-rhev

4/ Deactivate package manager::

# edeploy deactivate-pkgmngr

5/ Following the update, the guests (virtual machines) need to be powered off

and started up again for the update to take effect. It is also possible to migrate guests away from the affected host, update the host, and then migrate the guests back. Please note that it is not enough to restart the guests because a restarted guest would continue running using the same (old, not updated) QEMU binary:

# nova evacuate

Will I get protected after a full upgrade ?

Unless the new version is J-1.4.0, the qemu package is not fixed and the above procedure needs to be re-applied.