Posted on 14.5.2015

UpCloud and VENOM, CVE-2015-3456, Security Vulnerability

Yesterday, on Wednesday 13th, 2015, Crowdstrike announced information regarding a security vulnerability they had discovered in the floppy disk controller on QEMU. The vulnerability allows an attacker to escape the confinement of the Virtual Machine guest operating system and gain privileged access to the host machine.

Since a key component of security in virtualised environments is the ability to limit access to guest operating systems only, patching this vulnerability was of major importance immediately when we saw it.

Last night, at around 17.30 UTC, we informed all our customers via e-mail about the patching process that would begin later that night at 19.00 UTC. We did not want to publicly announce anything since this would have given notice to potential exploiters as well. This morning, at 6:28 UTC, all UpCloud’s host machines in all three service areas had been patched.

While this project was enormous given such a short time frame, with the forced security updates we were able to migrate all customers to updated host machines. We were able to decommission, in an accelerated fashion, a large number of older host machines resulting in better performance and reliability for our customers at large.

The CVE-2015-3456 advisory is not an issue on UpCloud anymore and we want to thank our customers for co-operating with us on such a short notice. We continue to monitor all announcements and advisories regarding the different components we use in our infrastructure to keep our service as secure as possible.

Joel Pihlajamaa

Leave a Reply

Your email address will not be published. Required fields are marked *

GDPR, ISO 27001 and CISPE Code of Conduct: a guide to European compliance with UpCloud

Headquartered in Helsinki, UpCloud stands at the forefront of the European cloud infrastructure industry, rooted in Finnish traditions of technical and business excellence. Every customer who chooses to partner with us isn’t just selecting a cloud hosting solution; they’re placing their business, their confidence, and their aspirations in the hands of a certified Cloud Service […]

Announcements

Data Sovereignty

What is Private Cloud? Definition, architecture, and examples

Private cloud infrastructure emerged as a solution to some of the drawbacks of public cloud services. Although the private cloud has similarities to public cloud architecture, it distinctly provides a proprietary framework dedicated to a single organisation. Cloud services are agile and scalable, and many companies have already made the choice to move away from […]

Industry analyses

Long reads

Comprehensive guide to secure and highly available cloud server backups

In today’s digital landscape, cloud server backups are critical for data protection and part of an essential disaster recovery plan. Threats to data security and business systems can be digital and physical, ranging from cyber-attacks and hardware failures to the impacts of climate change or global unrest.  Data, an essential business asset, can be lost […]

Comparisons

Long reads

Back to top