TPS-2015-003 Venom (CVE-2015-3456) in KVM/QEMU

Joyent Engineers are aware of the Venom (CVE-2015-3456) security vulnerability in the virtual floppy drive code used by many computer virtualization platforms. This vulnerability may allow an attacker to escape from the confines of an affected virtual machine (VM) guest and potentially obtain code-execution access to the host.

Although the flaw exists in our KVM/QEMU in the Joyent software (SmartDataCenter and the Joyent Public Cloud), our architecture runs QEMU inside of an additional secure container with almost no privileges. This means that if an attacker were to exploit this, they would be confined inside their secure container and CANNOT EXECUTE MALICIOUS CODE that will affect other customers.

We will be patching the software to completely remove this flaw, and will roll that out to the Joyent Public Cloud (JPC) and our SmartDataCenter (SDC) customers in a future build.

If you have any further questions or concerns, please contact Joyent Support by submitting a request at the Customer Support Portal or via email to support@joyent.com.