Flexiant became aware of a critical security vulnerability in the KVM and Xen hypervisors on Wednesday. It is commonly known as 'VENOM' (CVE-2015-3456).
The vulnerability could potentially allow breaking out of a VM and the execution of code in the host Compute Node.
*** This does NOT affect VMWare, Hyper-V and PCS hypervisors ***
The discovery prompted us to rebuild our Node Images for both FCO versions 4.x and 5.x. The hot fix includes a patched version of affected QEMU packages as provided by Ubuntu.
Please note this is a vulnerability of QEMU and not FCO code. Further information is available here:
The prerequisites for applying the fix are as follows:
If you are using FCO v4 you MUST be running 4.2.6.
If you are using FCO v5 you MUST be running 5.0.2.
*** If you require an upgrade from 5.0.0 or 5.0.1 to 5.0.2 please contact Flexiant Support beforehand. Do not attempt to upgrade 5.0.2 yourself. ***
(If for whatever reason you do not wish to apply the hot patch, 4.2.7 and 5.0.3 will also contain the fix.)
Links to the hot patches are as follows:
4.2.6 hot patch (MD5 1b1aef46ea59b69c8ae6315217de2c7b):
5.0.2 hot patch (MD5 25e79eb89eaf88daa84e38ee08fa1f59):
Installing the hot patch will not affect access to the Control Panel but every Compute Node must be rebooted to apply the fix.
To install the hot patch, SSH to your FCO Manager (and any KVM/Xen Cluster Control Managers) and download install the patch as follows:
wget http://...url to correct version patch...
dpkg -i … filename of correct version patch...
You can check the new package has installed successfully with this command:
dpkg -l extility-node-images-data
The output should contain EXTL8367 for v5 and EXTL8368 for v4 in the version field.
If any errors are encountered please contact Flexiant Support.
At this stage FCO has the new image but the Nodes are still running the vulnerable version. To update the Nodes requires a reboot of each Node. The goal is ensure every KVM/Xen process is running from a patched Node. This is no different to a normal upgrade which contains a new QEMU version, which also requires a reboot of each node.
The process of migrating a VM from a vulnerable Node to an upgraded Node will mean the VM is no longer vulnerable. You will need to Migrate all VMs off each node to another and then reboot the empty Node. The Node rebooting process is required to ensure it boots with the new image version.
Once this has been completed for all Compute Nodes the platform can be considered fully patched.
If you have any questions regarding this please e-mail email@example.com or raise a ticket in the portal.