Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

Ubuntu Security Update on VENOM (CVE-2015-3456) [UPDATED]

Robbie

on 13 May 2015

This article is more than 9 years old.


A buffer overflow in the virtual floppy disk controller of QEMU has been discovered. An attacker could use this issue to cause QEMU to crash or execute arbitrary code in the host’s QEMU process.

This issue is mitigated in a couple ways on Ubuntu when using libvirt to manage QEMU virtual machines, which includes OpenStack’s use of QEMU. The QEMU process in the host environment is owned by a special libvirt-qemu user which helps to limit access to resources in the host environment. Additionally, the QEMU process is confined by an AppArmor profile that significantly lessens the impact of a vulnerability such as VENOM by reducing the host environment’s attack surface.

A fix for this issue has been committed in the upstream QEMU source code tracker. Ubuntu 12.04 LTS, Ubuntu 14.04 LTS, Ubuntu 14.10, and Ubuntu 15.04 are affected. To address the issue, ensure that qemu-kvm 1.0+noroms-0ubuntu14.22 (Ubuntu 12.04 LTS), qemu 2.0.0+dfsg-2ubuntu1.11 (Ubuntu 14.04 LTS), qemu 2.1+dfsg-4ubuntu6.6 (Ubuntu 14.10), qemu 1:2.2+dfsg-5expubuntu9.1 (Ubuntu 15.04) are installed.

For reference, the Ubuntu Security Notices website is the best place to find information on security updates and the affected supported releases of Ubuntu.  Users can get notifications via email and RSS feeds from the USN site, as well as access the Ubuntu CVE Tracker.

Talk to us today

Interested in running Ubuntu in your organisation?

Newsletter signup

Get the latest Ubuntu news and updates in your inbox.

By submitting this form, I confirm that I have read and agree to Canonical's Privacy Policy.

Related posts

Deploying secure AI and real-time robots at ROSCon 24

Another year, another ROSCon! This year we’re setting off to Odense, Denmark. At Canonical, we are excited to once again sponsor this event for a community...

Build your private 5G network with Charmed Aether SD-Core

You might recall that we recently announced the beta release of Charmed Aether SD-Core, bringing automation to the Linux Foundation’s open source 5G...

Canonical at Cloud Expo 2024

The Cloud Expo Madrid 2024 will run on 16 and 17 October at IFEMA Madrid. Come down to our booth, K87, to meet us and chat about Cloud, AI, ML and more.