VENOM
From Wikipedia, the free encyclopedia
VENOM (short for Virtualized Environment Neglected Operations Manipulation[1]) is a computer security flaw that was discovered in 2015 by Jason Geffner, then a security researcher at CrowdStrike.[2] The flaw was introduced in 2004 and affected versions of QEMU, Xen, KVM, and VirtualBox from that date until it was patched following disclosure.[3][4]
| CVE identifier | CVE-2015-3456 |
|---|---|
| Date discovered | 2015 |
| Date of public disclosure | May 13, 2015 |
| Date patched | May 2015 |
| Discoverer | Jason Geffner |
| Affected software | QEMU; Xen; KVM; VirtualBox |
| Website | venom |
The existence of the vulnerability was due to a flaw in QEMU's virtual floppy disk controller.[5]
VENOM is registered in the Common Vulnerabilities and Exposures database as CVE-2015-3456.[6]
Background
QEMU is a widely used emulator and hypervisor that provides device emulation and virtualization for a variety of platforms and is reused by higher-level virtualization systems such as Xen and KVM.[7]
The VENOM vulnerability arose from a defect in QEMU's implementation of this FDC, which is used not only by standalone QEMU deployments but also by a range of virtualization platforms and cloud infrastructures that embed the relevant code.[7][8]
Discovery and disclosure
The vulnerability was discovered by Jason Geffner, a senior security researcher at CrowdStrike, during a security review of virtual machine hypervisors. CrowdStrike coordinated disclosure with QEMU maintainers and affected vendors, including the Xen Project and Linux distribution providers, before the issue was publicly announced.[9][8]
The vulnerability was disclosed publicly on 13 May 2015, together with a branded website and logo under the name "VENOM", and assigned the identifier CVE-2015-3456. Security advisories and updates were issued in quick succession by vendors such as Red Hat, SUSE, Oracle and IBM in the days following disclosure.[10][11][12]
