Skip to main content

Your submission was sent successfully! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates from Canonical and upcoming events where you can meet our team.Close

Thank you for contacting us. A member of our team will be in touch shortly. Close

  1. Blog
  2. Article

Robbie
on 13 May 2015

Ubuntu Security Update on VENOM (CVE-2015-3456) [UPDATED]


A buffer overflow in the virtual floppy disk controller of QEMU has been discovered. An attacker could use this issue to cause QEMU to crash or execute arbitrary code in the host’s QEMU process.

This issue is mitigated in a couple ways on Ubuntu when using libvirt to manage QEMU virtual machines, which includes OpenStack’s use of QEMU. The QEMU process in the host environment is owned by a special libvirt-qemu user which helps to limit access to resources in the host environment. Additionally, the QEMU process is confined by an AppArmor profile that significantly lessens the impact of a vulnerability such as VENOM by reducing the host environment’s attack surface.

A fix for this issue has been committed in the upstream QEMU source code tracker. Ubuntu 12.04 LTS, Ubuntu 14.04 LTS, Ubuntu 14.10, and Ubuntu 15.04 are affected. To address the issue, ensure that qemu-kvm 1.0+noroms-0ubuntu14.22 (Ubuntu 12.04 LTS), qemu 2.0.0+dfsg-2ubuntu1.11 (Ubuntu 14.04 LTS), qemu 2.1+dfsg-4ubuntu6.6 (Ubuntu 14.10), qemu 1:2.2+dfsg-5expubuntu9.1 (Ubuntu 15.04) are installed.

For reference, the Ubuntu Security Notices website is the best place to find information on security updates and the affected supported releases of Ubuntu.  Users can get notifications via email and RSS feeds from the USN site, as well as access the Ubuntu CVE Tracker.

Related posts


Andreea Munteanu
12 February 2025

AI in 2025: is it an agentic year?

AI Article

2024 was the GenAI year. With new and more performant LLMs and a higher number of projects rolled out to production, adoption of GenAI doubled compared to the previous year (source: Gartner). In the same report, organizations answered that they are using AI in more than one part of their business, with 65% of respondents ...


Canonical
11 February 2025

Canonical announces 12 year Kubernetes LTS 

Canonical announcements Article

Canonical’s Kubernetes LTS (Long Term Support) will support FedRAMP compliance and receive at least 12 years of committed security maintenance and enterprise support on bare metal, public clouds, OpenStack, Canonical MicroCloud and VMware. February 11,  2025 Today, Canonical announced a 12 year security maintenance and support commitment ...


Lidia Luna Puerta
10 February 2025

How your feedback shapes the way we support open source software

Ubuntu Article

Over the past year, we’ve been busy gathering  your feedback on the redesign of our support portal. We want to make sure the portal meets your evolving needs, and delivers the best possible support experience for your open source software. Your insights drive us forward, and this year, we’ll focus on incorporating your valuable feedback w ...