VENOM: QEMU Vulnerability (CVE-2015-3456)

A 'buffer overflow' vulnerability affecting the Floppy Disk Controller (FDC) emulation implemented in the QEMU component of the KVM/QEMU and Xen hypervisors. 
This issue affects both Xen and KVM (Static and CloudBoot) hypervisors under CentOS 5.x and 6.x

Static Hypervisors

To eliminate the security issue for Static Hypervisors, follow the procedure described below.

  • For customers willing to upgrade to the latest hypervisor tools (corresponding to the OnApp version that runs)

    1. Run the OnApp Xen Hypervisor installer

      /onapp/onapp-hv-install/onapp-hv-xen-install.sh

      or

      Run the OnApp KVM Hypervisor installer

      /onapp/onapp-hv-install/onapp-hv-kvm-install.sh
    2. If the kernel was updated at this stage, you should plan to reboot the hypervisor to ensure all HVs run a consistent kernel version.

      Consider migrating (if required) of running guests into any other host before the reboot.
  • For customers which are using latest hypervisor tools or do not want to upgrade them:

    • CentOS 5.x XEN packages (applies to OnApp 3.0.0 and up)

      # yum update xen xen-libs

      This should update to the 3.4.4-8.el5.onapp.x86_64 version.

    • CentOS 5.x KVM packages (the packages are released by Red Hat)

      # yum update kvm kmod-kvm

      This should update to the 83-272.el5_11.x86_64 version.

    • CentOS 6.x XEN packages (applies to OnApp 3.0.8 and up)

       # yum update xen xen-hypervisor xen-runtime xen-libs

      This should update to the 4.2.5-38.5.onapp.el6.x86_64 version.

    • CentOS 6.x KVM packages (the packages are released by Red Hat)

       # yum update qemu-kvm

      This should update to the 0.12.1.2-2.448.el6_6.3.x86_64 version.

    • Important: to eliminate the vulnerability, the VSs should be powered off and started up again depending on the virtualization type :

      • for XEN, power off and start up the Windows-based and FreeBSD-based VSs.

      • for KVM, power off and then start up all the VSs. 

Please note that it is not enough to restart the guests because a restarted guest would continue running using the same (old, not updated) QEMU binary.


CloudBoot Hypervisors

To eliminate the security issue for Cloudboot Hypervisors, run the OnApp 3.5.0-13 Storage Update. This should update to the following versions:

 
CentOS 5.x
CentOS 6.x
Xen3.4.4-8.el5.onapp.x86_64

4.4.2-2.el6.x86_64

(experimental)

KVM--------0.12.1.2-2.448.el6_6.3.x86_64