This Security Alert addresses security issue CVE-2015-3456 ("VENOM"), a buffer overflow vulnerability in QEMU's virtual Floppy Disk Controller (FDC). The vulnerable FDC code is included in various virtualization platforms and is used in some Oracle products. The vulnerability may be exploitable by an attacker who has access to an account on the guest operating system with privilege to access the FDC. The attacker may be able to send malicious code to the FDC that is executed in the context of the hypervisor process on the host operating system. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without the need for a username and password.
Due to the severity of this vulnerability, Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible.
This Security Alert is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle's use of CVRF is available at: http://www.oracle.com/technetwork/topics/security/cpufaq-098434.html#CVRF.
The security vulnerability addressed by this Security Alert directly affects the products listed in the categories below. Please click on the link in the Patch Availability column or in the Patch Availability Table to access the documentation for those patches.
Oracle products and systems that include the products listed in this Alert are likely also affected. Customers should refer to Venom vulnerability - CVE-2015-3456 for additional information about those products. Oracle is investigating and will provide fixes for affected products as soon as they have been fully tested and determined to provide effective mitigation against this vulnerability. The product lists will be updated without additional emails being sent to customers and OTN Security Alerts subscribers. Thus, customers will need to check back for updates.
The list of affected product releases and versions that are in Premier Support or Extended Support, under the Oracle Lifetime Support Policy is as follows:
|Affected Products and Versions||Patch Availability
|VirtualBox 3.2, 4.0, 4.1, 4.2, 4.3 prior to 4.3.28||Oracle Linux and Virtualization|
|Oracle VM 2.2, 3.2, 3.3||Oracle Linux and Virtualization|
|Oracle Linux 5, 6, 7||Oracle Linux and Virtualization|
Patch availability information is provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. We recommend that customers remain on actively supported versions to ensure that they continue to receive security fixes from Oracle.
Product releases that are not under Premier Support or Extended Support are not tested for the presence of the vulnerability addressed by this Security Alert. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities.
Security Alert fixes are available to customers who have purchased Extended Support under the Lifetime Support Policy. Customers must have a valid Extended Support service contract to apply Security Alert fixes for products in the Extended Support Phase.
The Oracle security and development teams are investigating this issue and are developing fixes for the affected products and services. The Oracle Cloud teams are evaluating these fixes as they become available and will be applying the relevant patches in accordance with applicable change management processes.
Customers requiring additional information which is not addressed in this communication may obtain more information as follows:
The security fixes in this Security Alert are cumulative; the latest updates includes all fixes from previous Critical Patch Updates and Security Alerts.
|Product Group||Risk Matrix||Patch Availability and Installation Information|
|Oracle Linux and Virtualization||Oracle Linux and Virtualization||
|2015-May-15||Rev 1. Initial Release|
Appendix - Oracle Linux and Virtualization
Oracle Linux Executive Summary
This Security Alert contains 1 new security fix for Oracle Linux. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.
Oracle Linux Risk Matrix
Oracle Virtualization Executive Summary
This Security Alert contains 2 new security fixes for Oracle Virtualization. Neither of these vulnerabilities may be remotely exploitable without authentication, i.e., neither may be exploited over a network without the need for a username and password. The English text form of this Risk Matrix can be found here.
Oracle Virtualization Risk Matrix