CVE-2015-3456 aka "Venom": new vulnerability affecting virtual machine platforms (BigV and legacy VMs)

Expected resolution: 15 May 2015, 15:24 UTC
Return to issues
Issue status: Resolved Date:

15 May 2015
11:18 UTC

Posted by:

James Carter

Both BigV and legacy VMs are now all running under a patched qemu.

Issue status: Investigating Date:

14 May 2015
15:25 UTC

Posted by:

Bytemark Engineer

BigV update

OK, I've just finished patching all the BigV hosts. Unlike the legacy platform, this is a zero-downtime procedure (with a few minor caveats I hope we'll be able to document properly tomorrow).

We became aware of the vulnerability at around 1400 UTC+1 and patching was complete by 1730 UTC+1, which I'm fairly pleased by. If you did notice anything odd, or experienced an unexpected reboot during this time, do let us know, but I think this is one of our more successful qemu vulnerability live patching adventures!

Issue status: Investigating Date:

14 May 2015
15:24 UTC

Posted by:

Bytemark Engineer

Legacy VM update

Your legacy virtual machine must be rebooted urgently as we have now deployed a patch to the platform. This does not apply to BigV.

Please reboot your legacy virtual machine as soon possible. Machines that not been rebooted will be automatically rebooted starting from Friday 15 May 2015, 0700 UTC +1.

We are also emailing all the impacted customers directly.

Thanks for your patience whilst we've worked to patch and eliminate this serious vulnerability.

Issue status: Investigating Date:

13 May 2015
14:31 UTC

Posted by:

Bytemark Engineer

CVE-2015-3456, aka "Venom", is a security vulnerability in the floppy drive emulation used by the Qemu, KVM, and Xen virtualization platforms.

This vulnerability potentially allows an attacker to escape from the confines of an affected virtual machine, gaining access to execute code on the host system.

We are not aware of any code to exploit this vulnerability that is in the wild right now.

Is my virtual machine affected?

Yes, both BigV and legacy virtual machines are affected.

Given how much control this vulnerability could give an attacker, we're not taking any chances. We are proactively updating both BigV and the legacy virtual machine platform to eliminate this vulnerability.

Do I need to do anything?

BigV users

No. We are patching BigV to eliminate the vulnerability.

We are in the process of migrating customers' virtual machines to hosts that have had fixed packages applied to them.

You will not need to reboot your BigV virtual machine, nor should you see any impact on running services.

We will update this thread when the live-migration is complete.

Legacy VM users

Your legacy virtual machine will need to be rebooted once we have deployed the patch for this platform.

We will update this thread to advise customers of the impact to their legacy virtual machines as we begin to roll this out.

Dedicated servers

Dedicated servers are only affected if you are using qemu or xen to run your own virtual machines.

In this case, we strongly recommend you apply the latest package updates on your dedicated server as early as possible. If you are a managed customer, we can assist -- please email

Xen users: see for more information.

Further reading

Return to issues

Issue still not addressed? Please contact support.