Security Bulletin: Venom vulnerability affects IBM PureApplication System (CVE-2015-3456)

Summary

IBM PureApplication System is vulnerable to Venom: “Virtualized Environment Neglected Operation Manipulation”.

Vulnerability Details

CVEID: CVE-2015-3456 DESCRIPTION: QEMU is vulnerable to a buffer overflow, caused by improper bounds checking by the Floppy Disk Controller (FDC) emulation. By sending specially crafted FDC commands, a guest operating system attacker with access to the FDC I/O ports could overflow a buffer and execute arbitrary code on the system with root privileges. Note: This vulnerability is also being called VENOM.

CVSS Base Score: 7.7
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/103116&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:A/AC:L/Au:S/C:C/I:C/A:C)

Affected Products and Versions

IBM PureApplication System V2.0
IBM PureApplication System V2.1

Remediation/Fixes

The IBM PureApplication System may be affected. Contact IBM Support for information regarding mitigation.

IBM recommends that you review your entire environment to identify vulnerable releases of the open-source hypervisor QEMU and virtualization infrastructures that utilize QEMU and take appropriate mitigation and remediation actions.

Workarounds and Mitigations

None