Oracle patches buffer overflow bug VENOM
Oracle has issued a patch for a serious buffer overflow vulnerability (CVE-2015-3456), called VENOM, that is impacting its products.
Due to the severity of the bug in QEMU's virtual Floppy Disk Controller (FDC), customers are strongly advised to apply the updates "as soon as possible," a Friday security alert said.
CrowdStrike senior security researcher Jason Geffner discovered the roughly decade-old bug, which stands for Virtualized Environment Neglected Operations Manipulation.
In its Friday alert, Oracle said that it was also making the security alert available in an XML format “that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1."
VENOM impacts Oracle customers since “vulnerable FDC code is included in various virtualization platforms and is used in some Oracle products," such as, VirtualBox 3.2, 4.0, 4.1, 4.2, and 4.3 (prior to 4.3.28); Oracle VM 2.2, 3.2 and 3.3; and Oracle Linux versions 5, 6 and 7.