K16620 : QEMU vulnerability CVE-2015-3456

Security Advisory Description

Description

An out-of-bounds memory access flaw, also known as “VENOM,” was found in the way QEMU’s virtual Floppy Disk Controller (FDC) handled FIFO buffer access while processing certain FDC commands. A privileged guest user could use this flaw to crash the guest or, potentially, execute arbitrary code on the host with the privileges of the host’s QEMU process corresponding to the guest. (CVE-2015-3456)

Impact

This vulnerability may allow unauthorized modification or disruption of service. F5 products are subject to this vulnerability only when configured as a vCMP hypervisor host. A vCMP guest itself is not vulnerable, but a user with root or administrator-level permissions within a configured vCMP guest is required for the attack. BIG-IP Virtual Edition and non-vCMP deployments of the BIG-IP system are not impacted.

Important: A third party KVM hypervisor on which a BIG-IP Virtual Edition guest instance is installed might be vulnerable; however, the BIG-IP Virtual Edition guest instance itself is not vulnerable. Customers in this deployment model need to check with the provider of their KVM hypervisor for details on their specific status.

Status

F5 Product Development has assigned ID 523032 to this vulnerability, and has evaluated the currently supported releases for potential vulnerability. Additionally, BIG-IP iHealth may list Heuristic H523048 on the Diagnostics> Identified> High screen.

To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:

BIG-IQ Device| None
| 4.2.0 - 4.5.0
| Not vulnerable
| None
BIG-IQ Security| None
| 4.0.0 - 4.5.0
| Not vulnerable
| None

BIG-IQ ADC| None
| 4.5.0
| Not vulnerable
| None

LineRate| None| 2.2.0 - 2.5.0
1.6.0 - 1.6.4| Not vulnerable
| None

F5 WebSafe| None
| 1.0.0| Not vulnerable
| None
Traffix SDC| None
| 4.0.0 - 4.1.0
3.3.2 - 3.5.1| Not vulnerable
| None

1 vCMP is not available on BIG-IP versions prior to 11.0.0.

Recommended Action

If the previous table lists a version in the Versions known to be not vulnerable column, you can eliminate this vulnerability by upgrading to the listed version. If the listed version is older than the version you are currently running, or if the table does not list any version in the column, then no upgrade candidate currently exists.

F5 responds to vulnerabilities in accordance with the Severity values published in the previous table. The Severity values and other security vulnerability parameters are defined in K4602: Overview of the F5 security vulnerability response policy.

Supplemental Information

• K14088: vCMP host and supported guest version matrix
• K9970: Subscribing to email notifications regarding F5 products
• K9957: Creating a custom RSS feed to view new and updated documents
• K4918: Overview of the F5 critical issue hotfix policy
• K167: Downloading software and firmware from F5
• K13123: Managing BIG-IP product hotfixes (11.x - 12.x)
• K9502: BIG-IP hotfix matrix