Posted on 14.5.2015

UpCloud and VENOM, CVE-2015-3456, Security Vulnerability

Yesterday, on Wednesday 13th, 2015, Crowdstrike announced information regarding a security vulnerability they had discovered in the floppy disk controller on QEMU. The vulnerability allows an attacker to escape the confinement of the Virtual Machine guest operating system and gain privileged access to the host machine.

Since a key component of security in virtualised environments is the ability to limit access to guest operating systems only, patching this vulnerability was of major importance immediately when we saw it.

Last night, at around 17.30 UTC, we informed all our customers via e-mail about the patching process that would begin later that night at 19.00 UTC. We did not want to publicly announce anything since this would have given notice to potential exploiters as well. This morning, at 6:28 UTC, all UpCloud’s host machines in all three service areas had been patched.

While this project was enormous given such a short time frame, with the forced security updates we were able to migrate all customers to updated host machines. We were able to decommission, in an accelerated fashion, a large number of older host machines resulting in better performance and reliability for our customers at large.

The CVE-2015-3456 advisory is not an issue on UpCloud anymore and we want to thank our customers for co-operating with us on such a short notice. We continue to monitor all announcements and advisories regarding the different components we use in our infrastructure to keep our service as secure as possible.

Joel Pihlajamaa

Leave a Reply

Your email address will not be published. Required fields are marked *

Information regarding Foreshadow, the Intel L1 Terminal Fault vulnerability

Intel recently shared information about a newly identified vulnerability in their processors. It concerns a speculative execution side-channel method that Intel calls L1 Terminal Fault or L1TF for short. The vulnerability was discovered by two independent groups of researchers who have titled it Foreshadow. L1TF aka Foreshadow The Foreshadow vulnerability (CVE-2018-3615) is an exploit on the speculative execution […]


The discovery and mitigation of AMD Zen CPU vulnerability aka Zenbleed

Yesterday, on the 24th of July 2023, Google Project Zero published their findings of a new flaw in AMD’s Zen 2 processors. The vulnerability titled ‘Zenbleed’ affects the entire Zen 2 product stack, from AMD’s EPYC data center processors to the Ryzen 3000 CPUs. It can be exploited to steal sensitive data stored in the […]


New Intel CPU vulnerability GDS/Downfall

On August 8, 2023, Intel published a new security vulnerability that exploits Gather Data Sampling (GDS). Named Downfall by its discoverer, it impacts multiple generations of Intel processors used in both personal and cloud computers. Downfall is a transient execution side-channel vulnerability that targets a critical weakness found in many modern Intel processor models. Following the […]


Back to top