Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2015.0051 Oracle has released a security advisory detailing products which are affected by the "VENOM" vulnerability 18 May 2015 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: VirtualBox Oracle VM Oracle Linux Operating System: UNIX variants (UNIX, Linux, OSX) Windows Virtualisation Impact/Access: Execute Arbitrary Code/Commands -- Existing Account Denial of Service -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2015-3456 Member content until: Wednesday, June 17 2015 Reference: ESB-2015.1326 ESB-2015.1319 ESB-2015.1308 ESB-2015.1307 ESB-2015.1306 ESB-2015.1304 OVERVIEW Oracle has released a security advisory detailing products which are affected by the "VENOM" vulnerability (CVE-2015-3456) - a buffer overflow vulnerability affecting QEMU's virtual Floppy Disk Controller. Oracle has stated that the following products are vulnerable: VirtualBox 3.2, 4.0, 4.1, 4.2, 4.3 prior to 4.3.28 Oracle VM 2.2, 3.2, 3.3 Oracle Linux 5, 6, 7 IMPACT Oracle has provided the following details regarding this issue: "The vulnerable FDC code is included in various virtualization platforms and is used in some Oracle products. The vulnerability may be exploitable by an attacker who has access to an account on the guest operating system with privilege to access the FDC. The attacker may be able to send malicious code to the FDC that is executed in the context of the hypervisor process on the host operating system. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without the need for a username and password." [1] MITIGATION Administrators of affected products are advised to apply the necessary patches as soon as possible to correct this issue. [1] REFERENCES [1] Oracle Security Alert for CVE-2015-3456 http://www.oracle.com/technetwork/topics/security/alert-cve-2015-3456-2542656.html AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVVk3rxLndAQH1ShLAQI6TxAAu5BgIJKH2A9TFXD2ghNWpnqQRQGl0YAJ ErGk+xD9vs9TV6XhuFw6QWLEeQOJbVdut84//FG1jXDG8W8YPN/2z8P+i7g+4zHT tyS/CSkiYNCjgwTSMtabGlWzwEh4ugAuIa2yg+LwKhAo8N66C2fU6yjiA1djNMtp ZZ3xivUYPD5y86DaxqseT9Juqn05SpP0zXUvu/+g0sRrKvB/cK9Jwb45LUgj1l0R 3RYmMOJu4eftvWocKTlyXNmCoNXtAAqRbBZZpqefGMDIxwrcn0LlFXTMUBQuhHaG WBmcjWY3izzqtC34N654ewKT4jNl0Il/ohTSUXr037WrYwHP+5VA0Izth+xFw+S7 4V3/zHtK7km5rVeWBzu6D4kzziESnHQlDOBbC9eGRcoqpE3sRrQTdcujnoNhrKAW TG4FzBv9oMt+I4geYHBPrW6awBfpjPQwSrSxue7AlDKIqpTzcLbmwJcbnG4JhcEW 2MwD2M6UE859z3tECmLDvtAY8lpb/KettK89x+X2U7E/XRQvApLhl0e8wELsKtTA 8vn4ifPM+SJD82JfZCBezXlcq710Pna6qUBA/+Jw512A+sUBpcMF4ULaEN3h/w21 +QR6JPn0sAXB73ZFqQnfhOpbQpgHDKvLguOhDpOJp85OnQbndEJNGV8TI+SvOz8t oV3XViAQs0Q= =n1da -----END PGP SIGNATURE-----