Connect with us

Hi, what are you looking for?


Malware & Threats

Oracle Issues VENOM Security Updates

Oracle has released updates for its products to address the VENOM vulnerability impacting virtual environments.

Oracle has released updates for its products to address the VENOM vulnerability impacting virtual environments.

VENOM was publicly disclosed last week. Its name stands for Virtualized Environment Neglected Operations Manipulation (VENOM). The bug resides in QEMU’s virtual Floppy Disk Controller, and is used in numerous virtualization platforms including Xen and the native QEMU client. The vulnerability was discovered by a researcher at CrowdStrike, and has existed since 2004.

The bug is agnostic of both the host and guest operating system. In order to exploit it, an attacker – or their malware -would need administrative or root privileges in the guest operating system. While there has been some discussion about comparing its severity to the Heartbleed bug, experts agree the VENOM vulnerability should be patched as soon as possible. 

“Oracle has decided to issue this Security Alert based on a number of factors, including the potential impact of a successful exploitation of this vulnerability, the amount of detailed information publicly available about this flaw, and initial reports of exploit code already ‘in the wild’,” blogged Eric Maurice, software security assurance director at Oracle. “Oracle further recommends that customers apply the relevant fixes as soon as they become available.”

According to Oracle, Oracle Linux, Oracle Virtual Compute Appliance, Oracle VM and Oracle VM VirtualBox have updates to address the bugHowever, the company also stated that the following products include QEMU but do not yet have updates available: Oracle Database Appliance, Oracle Exadata Database Machine, Oracle Exalogic Elastic Cloud and Oracle Exalytics In-Memory Machine.

“Oracle is investigating and will provide fixes for affected products as soon as they have been fully tested and determined to provide effective mitigation against this vulnerability,” according to Oracle’s advisory. “The product lists will be updated without additional emails being sent to customers and OTN Security Alerts subscribers. Thus, customers will need to check back for updates.”

Given its potential impact, VENOM can be big if an organization moves too slowly to address the threat, said Kapil Raina, a member of the Cloud Security Alliance’s Virtualization Working Group and head of product marketing at Elastica.

“The fact that it can be patched will limit the damage, but it will require an organization to schedule downtime and update their systems — not always possible immediately in every environment,” said Raina.

Advertisement. Scroll to continue reading.
Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how to utilize tools, controls, and design models needed to properly secure cloud environments.


Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.


People on the Move

Mobile security firm Zimperium has welcomed David Natker as its VP of Global Partners and Alliances.

CISA has appointed Jeff Greene as Executive Assistant Director for Cybersecurity and Trent Frazier as Assistant Director for Stakeholder Engagement.

David Chétrit has been appointed the CEO of Kudelski Security.

More People On The Move

Expert Insights