Venom vulnerability: Reboot required on certain servers

A new security vulnerability, CVE-2015-3456, was announced last week. The flaw is found in the QEMU virtualization software, and permits an attacker to gain access to a vulnerable host from a virtual machine located on that host.

Immediately following this announcement, we applied the necessary patches, thus reinforcing the existing security measures we had previously implemented. Over the past week, we have continued to study the vulnerability. As a preventative measure, we have decided that a reboot of certain VMs is required in order to ensure that all possible attack vectors have been mitigated.

This preventive reboot will only affect a small proportion of our customers. We will contact affected customers directly via email to provide instructions on performing the reboot on their own.

We will reboot the VMs of affected customers (who have not rebooted on their own) on Monday, May 25 at 11:59 p.m. PDT (that is: Tuesday, May 26, 2015 at 07:59 UTC).

For more information, see the following resources:

• RedHat’s announcement: VENOM: QEMU vulnerability (CVE-2015-3456)
• Ubuntu’s announcement: USN-2608-1: QEMU vulnerabilities

If you have questions or encounter any problems regarding this issue, our support team is available to assist you.