Skip to main content
ExLibris

Knowledge Assistant

BETA
 
  • Subscribe by RSS
    • Back
    Cross-Product

     

    Ex Libris Knowledge Center
    1. Search site
      Go back to previous article
      2. Sign in
        • Sign in
        • Forgot password
    1. Home
    2. Cross-Product
    3. Security
    4. Advisories
    5. Security Advisory- VENOM vulnerability (CVE-2015-3456) – Updated May 14, 2015

    Security Advisory- VENOM vulnerability (CVE-2015-3456) – Updated May 14, 2015

    1. Last updated
    2. Save as PDF
    3. Share
      1. Share
      2. Tweet
      3. Share
    1. Subject: VENOM vulnerability (CVE-2015-3456) – Updated May 14, 2015
      1. Overview
      2. Additional references
      3. Effective Security Severity Level:
      4. Affected Systems:
      5. Tests and Certifications:
      6. Actions Taken for Hosted Systems:
      7. Required Actions for On-Premises and Local Systems:

    Subject: VENOM vulnerability (CVE-2015-3456) – Updated May 14, 2015

    Overview

    Ex Libris has been made aware of a recently discovered vulnerability issue with VENOM rated as “High”.  
     
    A privileged guest user could exploit this flaw to crash the guest VM using a ‘buffer overflow’ vulnerability affecting the Floppy Disk Controller (FDC) emulation or, potentially, break free of an affected VM and execute code on the host itself.   
    An attacker could also potentially access data or execute code on other guest VMs running on the same host system.
     
    This vulnerability is only an issue if untrusted access is obtained by a privileged guest user.

    This vulnerability is covered by Red Hat advisory CVE-2015-3456  where more information is available.

    Additional references

    More detailed analysis of this vulnerability is available from:

    • https://access.redhat.com/articles/1444903
    • https://fortune.com/2015/05/13/venom-vulnerability/
    • http://www.theregister.co.uk/2015/05...nom_vuln_poiso ns_countless_vms/
    Effective Security Severity Level:

    High 

    Affected Systems:

    Ex Libris products running on a VM hypervisor known as Quick Emulator
    (QEMU), which is used in a number of common virtualization products, including XEN hypervisors, KVM, Oracle VM VirtualBox, and the native QEMU client.

    Tests and Certifications:

    Ex Libris has evaluated the risks of this vulnerability. At this point, there is no vendor exploit to this vulnerability. In order to mount an exploit attempt, a user on the guest machine would need sufficient permissions to access the floppy disk controller I/O ports. For Linux guests, that means the user would need to have root access or otherwise elevated privileges. This fix should be installed at the infrastructure level as per vendor recommendations.

    Actions Taken for Hosted Systems:

    Ex Libris has completed the vulnerability assessment and investigation process for potentially affected Hosted systems. This vulnerability exploitation method with Ex Libris cloud design and topology, Ex Libris sees this vulnerability as Low risk. Further update with additional information and mitigation plan will be sent.

    Required Actions for On-Premises and Local Systems:

    Ex Libris strongly recommends following the instructions available from the links listed above and installing the patch on Ex Libris on premises and local systems, if required.  

     


    Best regards,
    Tomer Shemesh
    Ex Libris Security Officer

    View article in the Exlibris Knowledge Center
    1. Back to top
      • Security Advisory- OpenSSL and FREAK - Security Vulnerabilities – Updated March 19, 2015
      • Security Advisory- DROWN vulnerability (CVE-2016-0800) – Updated March 6, 2016
    • Was this article helpful?

    Recommended articles

    1. Article type
      Topic
      Content Type
      Documentation
      Language
      English
      Product
      Cross-Product
    2. Tags
      This page has no tags.
    1. © Copyright 2025 Ex Libris Knowledge Center
    2. Powered by CXone Expert ®
    • Term of Use
    • Privacy Policy
    • Contact Us
    2025 Ex Libris. All rights reserved