15 May 2015
Both BigV and legacy VMs are now all running under a patched qemu.
14 May 2015
OK, I've just finished patching all the BigV hosts. Unlike the legacy platform, this is a zero-downtime procedure (with a few minor caveats I hope we'll be able to document properly tomorrow).
We became aware of the vulnerability at around 1400 UTC+1 and patching was complete by 1730 UTC+1, which I'm fairly pleased by. If you did notice anything odd, or experienced an unexpected reboot during this time, do let us know, but I think this is one of our more successful qemu vulnerability live patching adventures!
14 May 2015
Your legacy virtual machine must be rebooted urgently as we have now deployed a patch to the platform. This does not apply to BigV.
Please reboot your legacy virtual machine as soon possible. Machines that not been rebooted will be automatically rebooted starting from Friday 15 May 2015, 0700 UTC +1.
We are also emailing all the impacted customers directly.
Thanks for your patience whilst we've worked to patch and eliminate this serious vulnerability.
13 May 2015
CVE-2015-3456, aka "Venom", is a security vulnerability in the floppy drive emulation used by the Qemu, KVM, and Xen virtualization platforms.
This vulnerability potentially allows an attacker to escape from the confines of an affected virtual machine, gaining access to execute code on the host system.
We are not aware of any code to exploit this vulnerability that is in the wild right now.
Yes, both BigV and legacy virtual machines are affected.
Given how much control this vulnerability could give an attacker, we're not taking any chances. We are proactively updating both BigV and the legacy virtual machine platform to eliminate this vulnerability.
No. We are patching BigV to eliminate the vulnerability.
We are in the process of migrating customers' virtual machines to hosts that have had fixed packages applied to them.
You will not need to reboot your BigV virtual machine, nor should you see any impact on running services.
We will update this thread when the live-migration is complete.
Your legacy virtual machine will need to be rebooted once we have deployed the patch for this platform.
We will update this thread to advise customers of the impact to their legacy virtual machines as we begin to roll this out.
Dedicated servers are only affected if you are using
xen to run your own virtual machines.
In this case, we strongly recommend you apply the latest package updates on your dedicated server as early as possible. If you are a managed customer, we can assist -- please email firstname.lastname@example.org.
Xen users: see http://xenbits.xen.org/xsa/advisory-133.html for more information.