VENOM, CVE-2015-3456, an acronym for “Virtualized Environment Neglected Operations Manipulation” a serious bug on popular visualization platforms include Xen, KVM, and Oracle’s VirtualBox. As per security experts the bug was existed from 2004 onwards.
Discovered by Jason Geffner, CrowdStrike Senior Security Researcher says this vulnerability may allow an attacker to escape from the confines of an affected virtual machine (VM) guest and potentially obtain code-execution access to the host.
To prevent zero day attacks CrowdStrike responsibly disclosed VENOM to the QEMU Security Contact List, Xen Security mailing list, Oracle security mailing list, and the Operating System Distribution Security mailing list on April 30, 2015.
Virtualization products affected:- Xen hypervisors, KVM (or “kernel-based virtual machine”), Oracle VM VirtualBox, and the native QEMU client
Virtualization products not affected:- EMC-owned VMWare and Microsoft Hyper-V