VENOM
| CVE identifier | CVE-2015-3456 |
|---|---|
| Date discovered | 2015 |
| Date of public disclosure | May 13, 2015 |
| Date patched | May 2015 |
| Discoverer | Jason Geffner |
| Affected software | QEMU; Xen; KVM; VirtualBox |
| Website | venom |
VENOM (short for Virtualized Environment Neglected Operations Manipulation[1]) is a computer security flaw that was discovered in 2015 by Jason Geffner, then a security researcher at CrowdStrike.[2] The flaw was introduced in 2004 and affected versions of QEMU, Xen, KVM, and VirtualBox from that date until it was patched following disclosure.[3][4]
The existence of the vulnerability was due to a flaw in QEMU's virtual floppy disk controller.[5]
VENOM is registered in the Common Vulnerabilities and Exposures database as CVE-2015-3456.[6]
Background
[edit]QEMU is a widely used emulator and hypervisor that provides device emulation and virtualization for a variety of platforms and is reused by higher-level virtualization systems such as Xen and KVM.[7]
The VENOM vulnerability arose from a defect in QEMU's implementation of this FDC, which is used not only by standalone QEMU deployments but also by a range of virtualization platforms and cloud infrastructures that embed the relevant code.[7][8]
Discovery and disclosure
[edit]The vulnerability was discovered by Jason Geffner, a senior security researcher at CrowdStrike, during a security review of virtual machine hypervisors. CrowdStrike coordinated disclosure with QEMU maintainers and affected vendors, including the Xen Project and Linux distribution providers, before the issue was publicly announced.[9][8]
The vulnerability was disclosed publicly on 13 May 2015, together with a branded website and logo under the name "VENOM", and assigned the identifier CVE-2015-3456. Security advisories and updates were issued in quick succession by vendors such as Red Hat, SUSE, Oracle and IBM in the days following disclosure.[10][11][12]
References
[edit]- ^ Richard A. Clarke; Robert K. Knake (2019). The Fifth Domain: Defending Our Country, Our Companies, and Ourselves in the Age of Cyber Threats. Penguin. pp. 320–. ISBN 978-0-525-56197-2.
- ^ "VENOM Vulnerability". Venom.crowdstrike.com. Archived from the original on May 13, 2015.
- ^ Whittaker, Zack (May 13, 2015). "Bigger than Heartbleed, 'Venom' security vulnerability threatens most datacenters". ZDNet. Retrieved 11 November 2017.
- ^ Dan Goodin (May 14, 2015). "Extremely serious virtual machine bug threatens cloud providers everywhere". Ars Technica. Retrieved 11 November 2017.
- ^ Stone, Jeff (May 14, 2015). "Venom Security Flaw: Bug Exploits Floppy Drive, But Researchers Say Threat Overstated". International Business Times. IBT Media. Retrieved 11 November 2017.
- ^ Marc Dacier; Michael Bailey; Michalis Polychronakis; Manos Antonakakis (2017). Research in Attacks, Intrusions, and Defenses: 20th International Symposium, RAID 2017, Atlanta, GA, USA, September 18–20, 2017, Proceedings. Springer. pp. 422–. ISBN 978-3-319-66332-6.
- ^ a b "TR-37 – VENOM / CVE-2015-3456 – Critical vulnerability in QEMU Floppy Disk Controller (FDC) emulation". Computer Incident Response Center Luxembourg. May 2015. Retrieved 23 November 2025.
- ^ a b "CVE-2015-3456". Debian security tracker. Debian Project. Retrieved 23 November 2025.
- ^ "CVE-2015-3456". Red Hat Customer Portal. Red Hat. Retrieved 23 November 2025.
- ^ "CVE-2015-3456". SUSE security. SUSE. Retrieved 23 November 2025.
- ^ "Oracle Security Alert for CVE-2015-3456 ("VENOM")". Oracle. 15 May 2015. Retrieved 23 November 2025.
- ^ "Security Bulletin: Venom vulnerability affects IBM PureApplication System (CVE-2015-3456)". IBM Support. 27 May 2015. Retrieved 23 November 2025.
 | This computer security article is a stub. You can help Wikipedia by expanding it. |