Amazon has made a bold & cryptic claim that their cloud services were not bitten by the venom flaw
Last year’s discovery of the heartbleed bug, which infected the very backbone of the internet, sent shock waves across the web. Leaving hundreds of thousands of everyday users wondering how safe they and their data really were online. Now the Heartbleed scare has died down only to be replaced by the discovery of a new and more terrifying security flaw called Venom. Security researchers announced the discovery of Venom only this morning, stating that it infected cloud-hosted networks from the inside. Venom allows hackers to move freely from one virtual machine to another free to nab data as they go.
Specifically Venom attacks a piece of technology known as a hypervisor which coordinates the virtual machines running on any system. Fortunately the Venom bug only affects the open source hyper visor known as Quick Emulator (QEMU). Still, the Venom bug leaves millions of potential users data open to attack. Prompting swift repsonses from major companies such as Amazon which has put out cryptic yet forceful statement that their cloud services are unaffected by the flaw.
“We are aware of the QEMU security issue assigned CVE-2015-3456, also known as “VENOM,” which impacts various virtualized platforms. There is no risk to AWS customer data or instances.”
It’s a bold statement for Amazon to make when it’s known that their cloud services run on Xen Hypervisors and are among those affected by Venom flaw. Since the company has declined to comment on how their cloud services remained unaffected we can only assume it is because they run on a variant of Xen that was unaffected. Several other major cloud service providers were not as fortunate as Amazon in dodging this latest security flaw.
Rackspace has stated that they’re currently working with customers to find a solution, though how fast they will be able to do so is hard to say. The IBM SoftLayer cloud, hit by the Xen vulnerabilities that affected Amazon and Rackspace last year, might also be affected; although IBM has yet to make a statement. Red Hat has put out a list of their products that were hit by the Venom flaw including Linux versions 5, 6, and 7 as well as Red Hat OpenStack Platforms. They have put out a detailed list of advisories and patches for all of the products that were affected.
Joynet was also forced to put out an advisory detailing the updates being brought to their systems to eliminate the risk and that the affected code has been isolated. Oracle on the other hand has been much less talkative about the problem refusing to say if their systems were affected or not. Security researchers, however, have cited the Oracle Virtual Box among the products that were affected. All users can do at the moment is keep an eye out for messages from their cloud service providers and CrowdStrike, who discovered the flaw, on how to protect themselves.