Venom vulnerablity

I think that CVE-2015-3456 is affecting all Linux Distributions using an unpatched version of qemu - according the link you are refering to

So what will be the fix? Is this something proxmox will have, or debian? I assume debian?
 
I wonder if we can live migrate our running vms to another server in the cluster, update a given machine and live migrate the vms back to allow us to not have to reboot all of the vms and repeat the process for each node...?
 
Proxmox devs have been pretty good about addressing vulnerabilities in the past. Looking forward to their statement when one is ready.

I'm sure they'll do the right thing. For now I guess we just keep bumping this thread to keep it on the radar.

Dear Proxmox devs, you rock.
 
We can use floppy disks with adding for example
-fda /path/disk.vfd
If a KVM is started without this option means that is not vulnerable?

https://securityblog.redhat.com/2015/05/13/venom-dont-get-bitten/
"It is also exposed regardless of presence of any floppy related QEMU command line options so even guests without floppy disk explicitly enabled in the libvirt or Xen configuration files are affected."
 
Last edited:
It doesn't matter whether or not the switch is there. Due to a secondary bug the vulnerable code is always active.
 
Last edited:
That is a good point - unlike things like heartbleed and shellshock, I don't know of any easy way to test for the vulnerability (which may be because of the "non-trivial" nature of taking advantage of it). If anyone does find a way to test, please share it!

Also, I'm wondering what everyone is doing with regard to their public facing VMs at this point?
 
From my understanding, no proof of concept has been released yet that targets this particular problem, but I am sure people are working on it now that its been announced. Until then, it's all "theory".

The risk is biggest for VPS providers. If I was one, I would be applying this ASAP whatever the cost may be.

Public facing VMs are ok as long as they are properly secured. The fun begins if someone gets access to one of your public facing guest VMs, which is a big problem anyway. Once they get in there, in theory the rest of the VMs on that host are compromised.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!