Oracle Issues VENOM Security Updates

Oracle has released updates for its products to address the VENOM vulnerability impacting virtual environments.

VENOM was publicly disclosed last week. Its name stands for Virtualized Environment Neglected Operations Manipulation (VENOM). The bug resides in QEMU’s virtual Floppy Disk Controller, and is used in numerous virtualization platforms including Xen and the native QEMU client. The vulnerability was discovered by a researcher at CrowdStrike, and has existed since 2004.

The bug is agnostic of both the host and guest operating system. In order to exploit it, an attacker – or their malware -would need administrative or root privileges in the guest operating system. While there has been some discussion about comparing its severity to the Heartbleed bug, experts agree the VENOM vulnerability should be patched as soon as possible. 

“Oracle has decided to issue this Security Alert based on a number of factors, including the potential impact of a successful exploitation of this vulnerability, the amount of detailed information publicly available about this flaw, and initial reports of exploit code already ‘in the wild’,” blogged Eric Maurice, software security assurance director at Oracle. “Oracle further recommends that customers apply the relevant fixes as soon as they become available.”

According to Oracle, Oracle Linux, Oracle Virtual Compute Appliance, Oracle VM and Oracle VM VirtualBox have updates to address the bug. However, the company also stated that the following products include QEMU but do not yet have updates available: Oracle Database Appliance, Oracle Exadata Database Machine, Oracle Exalogic Elastic Cloud and Oracle Exalytics In-Memory Machine.

“Oracle is investigating and will provide fixes for affected products as soon as they have been fully tested and determined to provide effective mitigation against this vulnerability,” according to Oracle’s advisory. “The product lists will be updated without additional emails being sent to customers and OTN Security Alerts subscribers. Thus, customers will need to check back for updates.”

Given its potential impact, VENOM can be big if an organization moves too slowly to address the threat, said Kapil Raina, a member of the Cloud Security Alliance’s Virtualization Working Group and head of product marketing at Elastica.

“The fact that it can be patched will limit the damage, but it will require an organization to schedule downtime and update their systems — not always possible immediately in every environment,” said Raina.