A virtual server bug is said to be worse than Heartbleed
In case you were napping, Heartbleed struck web servers’ OpenSSL security last year, opening up the servers’ memory to intruders. There’s a new so-called zero-day vulnerability, only this time the researchers who discovered it say it’s much worse, impacting millions of datacenter machines.
VMware, Microsoft Hyper-V, and Bochs hypervisors are not affected.
The flaw is called Venom, which stands for Virtualised Environment Neglected Operations Manipulation. What does that mean? With the common practice of putting multiple customers into virtual servers, datacenters are setup to share some key tools, but sensitive information remains separated. Thanks to Venom, though, a hacker can gain access to a datacenters’ entire storage network, leaving all of the customers on it vulnerable.
As you might expect, the issue resides in an often ignored virtual floppy disk controller, but when it’s exploited, it’s like opening up a vault of stored info. Many modern virtual systems contain the bug — platforms like Oracle’s VirtualBox, KVM and Xen. The good news is Oracle says it already remedied the issue, and will fix it completely in a forthcoming update.
Read the full article here at ZDNet