For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!
Interested in getting your voice heard by members of the Developer Marketing team at Oracle? Check out this post for AppDev or this post for AI focus group information.
Hi JK,
havning read up a bit on venom, I must say, that I am not too afraid about it, as the attack against it will have to be mounted from inside one running OVM guest, e.g. e web server. So the first thing is to secure your guests, which is mandantory anyway. This will also render any mass-deployment of attacks unfeasable since, an attacker would always have to gain a foothold into the guest before trying to attack Xen through venom.
So I think this is definetively not something for the kiddies, but for a targeted attack and who would withstand such an attack anyway?
Cheers,
budy
HI Budy,
I agree with you. It can only be a targeted attack, and what we can do is only mitigation and prevention for now.
JK
One additional thing to know is that PVM guests do not expose the risk because they do not use qemu emulated devices:
XSA-133 - Xen Security Advisories
Regards,
Michal
Oracle issued advisores OVMSA-2015-0057, OVMSA-2015-0058, and OVMSA-2015-0059 and made patches available yesterday related to the venom vulnerability.
OVMSA-2015-0057 -- Oracle VM 3.3 -- https://oss.oracle.com/pipermail/oraclevm-errata/2015-May/000308.html
OVMSA-2015-0058 -- Oracle VM 3.2 -- https://oss.oracle.com/pipermail/oraclevm-errata/2015-May/000309.html
OVMSA-2015-0059 -- Oracle VM 2.2 -- https://oss.oracle.com/pipermail/oraclevm-errata/2015-May/000309.html
Hi,
I have just checked, that Oracle has made the latest patches available via the OVM3 repo - and I'd assume, via the public yum repo as well. I guess it's time to move the guests to a spare server and run the updates.
Hi Budy,
May we know, do we need to reboot the Server after update the below patches?
xen-tools-4.1.3-25.el5.127.36.1
xen-4.1.3-25.el5.127.36.1
xen-devel-4.1.3-25.el5.127.36.1
well, yes. You will have to reboot the server, as the xen-tools are also updated and may interfere with the older xen running at that time. So, in order to get the patch actually working, you will need to reboot your OVS.
Hi RLH2005,
Thanks for putting this up. Apparently they haven't forget the older versions, which is a good thing.
we are currently running Version 3.2.7.
Is it possible/ recommended to update only the xen packages (xen, xen-devel, xen-tools) or is it necessary to update first to Oracle VM 3.2.9?
alex
Hi Alex,
Update to 3.2.9. It has security fixes to 3.2.7, and I have updated it with virtually no issues.