Amazon issued a pretty strong, if detail-free, statement that its cloud services have not been affected by the scary-sounding Venom bug disclosed on Wednesday morning.
Per the company’s posted comment:
We are aware of the QEMU security issue assigned CVE-2015-3456, also known as “VENOM,” which impacts various virtualized platforms. There is no risk to AWS customer data or instances.
Rackspace (RAX), was slightly less definitive, saying via email that it has applied the patch and is “working with customers to fully remediate this vulnerability.” An updated Rackspace post, stated that the company had patched the affected portions of its infrastructure but for the fix to take effect, customers’ virtual machines have to be powered off and on within 24 hours. “Our preference is that customers do this themselves, and we strongly recommend that customers take this action as quickly as possible.”
Red Hat listed a number of products, including Red Hat (RHT) Enterprise Linux versions 5, 6, and 7 as well as several Red Hat OpenStack Platform versions that are vulnerable to this flaw, and it listed advisories and patches for each. Joyent also posted an advisory that it is updating its systems, but that the vulnerable code is isolated. Ditto: Digital Ocean.
It is unclear if IBM (IBM) SoftLayer cloud is affected, but IBM was beset by the Xen vulnerabilities that forced big emergency reboots to Amazon (AMZN) and Rackspace clouds in September through October of last year, and again in February. Fortune reached out for comment and will update when it is forthcoming.
An IBM spokesman later responded that SoftLayer services are not affected. His statement: “SoftLayer
engineers, in concert with our technology partners, completed a deep analysis of the vulnerability and determined that SoftLayer virtual servers are not affected by this vulnerability.”
Oracle (ORCL) declined to comment on this story, although when Fortune was briefed by the researchers who discovered the bug, they cited Oracle’s Virtual Box as having been affected.
Chris Eng, vice president of research at Veracode, said last fall’s bug was more narrowly focused than Venom because it only affected Xen, but it’s impact or “blast radius” was probably much bigger for two reasons.
“First, there was potential for malicious virtual machines to crash the host server. Second, Amazon’s infrastructure was affected, which in turn impacted its massive customer base. The patching process also required systems to reboot, which caused downtime for many AWS customers.”
Word to the wise: customers of all these vendors should be on the lookout for advisories from CrowdStrike, the security vendor that pinpointed the issue, as well as from their respective technology providers.
Venom affects QEMU, or the Quick Emulator, an aging piece of code that resides in commonly used Xen and KVM virtual machine monitors, as well as Oracle VM VirtualBox. The problem is that these monitors—”hypervisors,” in industry parlance—are used throughout company data centers and big cloud infrastructures, so if someone exploits this vulnerability, the problems could be widespread. Amazon runs on a variant of the Xen hypervisor. Red Hat’s products are largely dependent on KVM. VMware (VMW) and Microsoft (MSFT) hypervisors are unaffected by the flaw.
Update: 9:38 p.m. EST This story was updated to add news about Digital Ocean’s fix; detail on Rackspace’s update; and IBM’s statement.
