Hello, Looking through the details of the Venom vulnerability, > https://securityblog.redhat.com/2015/05/13/venom-dont-get-bitten/, it > would appear that the QEMU processes need to be restarted. > > > > Our understanding is thus that a soft reboot of the VM is not sufficient > but a hard one would be OK. > > > > Some quick tests have shown that a suspend/resume of the VM also causes a > new process. >
The RedHat KB article (linked in the blog post you gave) also mentions that migrating to a patched server should also be sufficient. If either methods (suspend or migration) work, I think those are nicer ways of handling this than hard reboots. I also found this statement to be curious: "The sVirt and seccomp functionalities used to restrict host's QEMU process privileges and resource access might mitigate the impact of successful exploitation of this issue." So perhaps RedHat already has mechanisms in place to prevent exploits such as this from being successful? I wonder if Ubuntu has something similar in place. > How are others looking to address this vulnerability ? > It looks like RedHat has released updates, but I haven't received an announcement for Ubuntu yet -- does anyone know the status? As soon as a fix is released, we'll update our hosts. That will ensure new instances aren't vulnerable. We'll then figure out some way of coordinating fixing of older instances. Joe
_______________________________________________ OpenStack-operators mailing list OpenStack-operators@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators