[Openstack-operators] Venom vulnerability

Joe Topjian joe at topjian.net
Wed May 13 14:52:16 UTC 2015


 Hello,

 Looking through the details of the Venom vulnerability,
> https://securityblog.redhat.com/2015/05/13/venom-dont-get-bitten/, it
> would appear that the QEMU processes need to be restarted.
>
>
>
> Our understanding is thus that a soft reboot of the VM is not sufficient
> but a hard one would be OK.
>
>
>
> Some quick tests have shown that a suspend/resume of the VM also causes a
> new process.
>

The RedHat KB article (linked in the blog post you gave) also mentions that
migrating to a patched server should also be sufficient. If either methods
(suspend or migration) work, I think those are nicer ways of handling this
than hard reboots.

I also found this statement to be curious:

"The sVirt and seccomp functionalities used to restrict host's QEMU process
privileges and resource access might mitigate the impact of successful
exploitation of this issue."

So perhaps RedHat already has mechanisms in place to prevent exploits such
as this from being successful? I wonder if Ubuntu has something similar in
place.


>   How are others looking to address this vulnerability ?
>

It looks like RedHat has released updates, but I haven't received an
announcement for Ubuntu yet -- does anyone know the status?

As soon as a fix is released, we'll update our hosts. That will ensure new
instances aren't vulnerable. We'll then figure out some way of coordinating
fixing of older instances.

Joe
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-operators/attachments/20150513/753845d5/attachment.html>


More information about the OpenStack-operators mailing list