Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT Security Bulletin
ASB-2015.0051
Oracle has released a security advisory detailing products
which are affected by the "VENOM" vulnerability
18 May 2015
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: VirtualBox
Oracle VM
Oracle Linux
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Virtualisation
Impact/Access: Execute Arbitrary Code/Commands -- Existing Account
Denial of Service -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2015-3456
Member content until: Wednesday, June 17 2015
Reference: ESB-2015.1326
ESB-2015.1319
ESB-2015.1308
ESB-2015.1307
ESB-2015.1306
ESB-2015.1304
OVERVIEW
Oracle has released a security advisory detailing products which are
affected by the "VENOM" vulnerability (CVE-2015-3456) - a buffer
overflow vulnerability affecting QEMU's virtual Floppy Disk
Controller.
Oracle has stated that the following products are vulnerable:
VirtualBox 3.2, 4.0, 4.1, 4.2, 4.3 prior to 4.3.28
Oracle VM 2.2, 3.2, 3.3
Oracle Linux 5, 6, 7
IMPACT
Oracle has provided the following details regarding this issue:
"The vulnerable FDC code is included in various virtualization
platforms and is used in some Oracle products. The vulnerability may
be exploitable by an attacker who has access to an account on the
guest operating system with privilege to access the FDC. The
attacker may be able to send malicious code to the FDC that is
executed in the context of the hypervisor process on the host
operating system. This vulnerability is not remotely exploitable
without authentication, i.e., may not be exploited over a network
without the need for a username and password." [1]
MITIGATION
Administrators of affected products are advised to apply the
necessary patches as soon as possible to correct this issue. [1]
REFERENCES
[1] Oracle Security Alert for CVE-2015-3456
http://www.oracle.com/technetwork/topics/security/alert-cve-2015-3456-2542656.html
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBVVk3rxLndAQH1ShLAQI6TxAAu5BgIJKH2A9TFXD2ghNWpnqQRQGl0YAJ
ErGk+xD9vs9TV6XhuFw6QWLEeQOJbVdut84//FG1jXDG8W8YPN/2z8P+i7g+4zHT
tyS/CSkiYNCjgwTSMtabGlWzwEh4ugAuIa2yg+LwKhAo8N66C2fU6yjiA1djNMtp
ZZ3xivUYPD5y86DaxqseT9Juqn05SpP0zXUvu/+g0sRrKvB/cK9Jwb45LUgj1l0R
3RYmMOJu4eftvWocKTlyXNmCoNXtAAqRbBZZpqefGMDIxwrcn0LlFXTMUBQuhHaG
WBmcjWY3izzqtC34N654ewKT4jNl0Il/ohTSUXr037WrYwHP+5VA0Izth+xFw+S7
4V3/zHtK7km5rVeWBzu6D4kzziESnHQlDOBbC9eGRcoqpE3sRrQTdcujnoNhrKAW
TG4FzBv9oMt+I4geYHBPrW6awBfpjPQwSrSxue7AlDKIqpTzcLbmwJcbnG4JhcEW
2MwD2M6UE859z3tECmLDvtAY8lpb/KettK89x+X2U7E/XRQvApLhl0e8wELsKtTA
8vn4ifPM+SJD82JfZCBezXlcq710Pna6qUBA/+Jw512A+sUBpcMF4ULaEN3h/w21
+QR6JPn0sAXB73ZFqQnfhOpbQpgHDKvLguOhDpOJp85OnQbndEJNGV8TI+SvOz8t
oV3XViAQs0Q=
=n1da
-----END PGP SIGNATURE-----