ESA-31: The VENOM Vulnerability in QEMU/KVM
5 views
Skip to first unread message
Eucalyptus Security Team
May 13, 2015, 9:29:23 PM5/13/15
to security...@eucalyptus.com
ESA-31: The VENOM Vulnerability in QEMU/KVM
====================================================================
Eucalyptus Security Advisory
Advisory ID: ESA-31
Issue Date: 2015-05-13
Last Updated: 2015-05-13
Severity Level: Important
Affected Products: HP Helion Eucalyptus 4.1.1 and earlier
CVE Number: CVE-2015-3456
====================================================================
OVERVIEW
------------
A serious vulnerability, called VENOM, has been discovered in QEMU. It affects KVM and other hypervisors. The vulnerability allows for a privileged guest user to crash the guest or potentially execute arbitrary code on the host.
HP Helion Eucalyptus is affected by this vulnerability. Updated packages are now available for the latest available versions of HP Helion Eucalyptus, 4.1.0 and 4.1.1. We recommend updating qemu-kvm packages on all nodes and restarting running VMs as soon as possible.
DESCRIPTION
-------------
The VENOM vulnerability in QEMU’s virtual Floppy Disk Controller (FDC) was discovered by Jason Geffner of CrowdStrike and affects various virtualization platforms including KVM:
- http://venom.crowdstrike.com/
The related security advisory for RHEL 6 and further analysis are available at:
- https://rhn.redhat.com/errata/RHSA-2015-1001.html
- https://securityblog.redhat.com/2015/05/13/venom-dont-get-bitten/
This vulnerability allows for a privileged guest user to crash the guest or potentially execute arbitrary code on the host with the privileges of the QEMU process.
HP Helion Eucalyptus uses QEMU/KVM on Node Controller (NC) components and is affected by the VENOM vulnerability.
SOLUTION
-------------
HP Helion Eucalyptus carries its own set of qemu-kvm-rhev packages as dependencies starting from the Eucalyptus version 4.1.0. Patched packages (version 0.12.1.2-2.448.el6_6.3) are now available for HP Helion Eucalyptus version 4.1 at:
- http://downloads.eucalyptus.com/software/eucalyptus/4.1/centos/6/x86_64/
- http://downloads.eucalyptus.com/software/eucalyptus/4.1/rhel/6/x86_64/
We recommend updating all installed qemu-kvm-rhev packages on NCs immediately. All running VMs need to be powered off and started up again after the upgrade.
There are two ways to power off and restart the VMs to ensure that the QEMU’s update takes effect:
1) Cloud users can terminate (or stop in case of BFEBS) running instances and start them again using Eucalyptus APIs or supported CLI tools.
2) A system administrator with privileged access to NCs can destroy and create VMs using virsh commands. Beware that in that case the VM is switched off immediately with no warning.
To identify all running VMs on an NC, run:
# virsh list
To shut off and restart a VM, execute the following:
# virsh destroy <vm_id> && virsh create <instance_path>/work/*/<vm_id>/instance-libvirt.xml
Where the <instance_path> is “/var/lib/eucalyptus/instances” unless specified differently in eucalyptus.conf (see INSTANCE_PATH) and the <vm_id> is the id of a running VM.
CONTACT and HELP
-------------
Contact the HP Helion Eucalyptus Security Team at euca-s...@hp.com.
====================================================================
Eucalyptus Security Advisory
Advisory ID: ESA-31
Issue Date: 2015-05-13
Last Updated: 2015-05-13
Severity Level: Important
Affected Products: HP Helion Eucalyptus 4.1.1 and earlier
CVE Number: CVE-2015-3456
====================================================================
OVERVIEW
------------
A serious vulnerability, called VENOM, has been discovered in QEMU. It affects KVM and other hypervisors. The vulnerability allows for a privileged guest user to crash the guest or potentially execute arbitrary code on the host.
HP Helion Eucalyptus is affected by this vulnerability. Updated packages are now available for the latest available versions of HP Helion Eucalyptus, 4.1.0 and 4.1.1. We recommend updating qemu-kvm packages on all nodes and restarting running VMs as soon as possible.
DESCRIPTION
-------------
The VENOM vulnerability in QEMU’s virtual Floppy Disk Controller (FDC) was discovered by Jason Geffner of CrowdStrike and affects various virtualization platforms including KVM:
- http://venom.crowdstrike.com/
The related security advisory for RHEL 6 and further analysis are available at:
- https://rhn.redhat.com/errata/RHSA-2015-1001.html
- https://securityblog.redhat.com/2015/05/13/venom-dont-get-bitten/
This vulnerability allows for a privileged guest user to crash the guest or potentially execute arbitrary code on the host with the privileges of the QEMU process.
HP Helion Eucalyptus uses QEMU/KVM on Node Controller (NC) components and is affected by the VENOM vulnerability.
SOLUTION
-------------
HP Helion Eucalyptus carries its own set of qemu-kvm-rhev packages as dependencies starting from the Eucalyptus version 4.1.0. Patched packages (version 0.12.1.2-2.448.el6_6.3) are now available for HP Helion Eucalyptus version 4.1 at:
- http://downloads.eucalyptus.com/software/eucalyptus/4.1/centos/6/x86_64/
- http://downloads.eucalyptus.com/software/eucalyptus/4.1/rhel/6/x86_64/
We recommend updating all installed qemu-kvm-rhev packages on NCs immediately. All running VMs need to be powered off and started up again after the upgrade.
There are two ways to power off and restart the VMs to ensure that the QEMU’s update takes effect:
1) Cloud users can terminate (or stop in case of BFEBS) running instances and start them again using Eucalyptus APIs or supported CLI tools.
2) A system administrator with privileged access to NCs can destroy and create VMs using virsh commands. Beware that in that case the VM is switched off immediately with no warning.
To identify all running VMs on an NC, run:
# virsh list
To shut off and restart a VM, execute the following:
# virsh destroy <vm_id> && virsh create <instance_path>/work/*/<vm_id>/instance-libvirt.xml
Where the <instance_path> is “/var/lib/eucalyptus/instances” unless specified differently in eucalyptus.conf (see INSTANCE_PATH) and the <vm_id> is the id of a running VM.
CONTACT and HELP
-------------
Contact the HP Helion Eucalyptus Security Team at euca-s...@hp.com.
Reply all
Reply to author
Forward
0 new messages