Yesterday online news sources published information about the recent discovery of the Venom bug which questioned the strength of cloud security; Venom stands for “virtualized environment neglected operations manipulation.” The bug affects hypervisors that controls and coordinates the virtual machines running on a server.
Last year the Hearbleed bug was estimated to have potentially impacted nearly 2/3 of the world’s servers, which was followed by Shellshock, which was thought to potentially have a much larger and widespread impact.
The vulnerability specifically affects a free and open source hypervisor called Quick Emulator (QEMU), which is used in a number of common products including Xen hypervisors, KVM, Oracle VM VirtualBox, and the native QEMU client. VMware, Microsoft Hyper-V, and Bochs hypervisors were not affected.
Like some of the previous vulnerabilities that have come to light over the past few years, this is a server side vulnerability meaning that server owners will need to update with security patches that are issued.
Well how did all of this affect Priority Data and their web-based services?
Here at Priority Data, our web-based solutions were completely unaffected by the Venom bug. In order to be affected by Venom, the servers must be using a hypervisor based off QEMU, which we are not using.
Other services that you use may be impacted, however, and we would advise to verify with cloud providers if they have been impacted. Crowdstrike has issued a list of hypervisors that have issued notifications and patches here.