New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Venom reactions
Thought it might be interesting to make a list of if/when providers make a statement/fix regarding venom. I've got at least 2 KVM LEBs which are affected, with no info from providers as yet. In most cases, this is going to require VMs to be restarted so also interested to know if providers will force reboots at any point...
Remember - this only affects KVM and XEN-HVM (not XEN-PV or OpenVZ) - please post if/when your provider makes a statement!
Comments
We've updated our nodes and informed our clients that they must manually shutdown their KVM instances and boot them (as a reboot won't work).
My provider did a maintenance restart last weekend. They didn't say why at the time. I guess now we know.
bertan -- are you sure that's why they did restarts? The original Xen security notification only came out on the 11th.
Mail just landed from EDIS - rebooting in 2 hours time.
For anyone who has no idea what this is, like me ..
Here's a link
https://access.redhat.com/articles/1444903
Some providers like Linode are usually informed before release.
And to be fair the pre release did make it sound very much like floppy emulation was required to be vulnerable.
They told the providers two weeks before they made the security advisory public.
@bertan, I'm on the Xen security list and the original e-mail came out on the 11th. If your provider knew two weeks prior to that, I'd like to know how.
My Custom Hosting website and VM in Montreal are down a couple hours, hopefully unrelated.
Maybe because two weeks ago someone formated all his servers.. lol
Linode, Amazon and others are informed before public release, as i said.
Here's what happened for me;
RamNode sent me an email, and my 1 KVM server with them was temporarily paused 15 minutes later. It took about 40 seconds, but when it was back, the server didn't even know it had been paused; zero disruption.
Vultr didn't let me know first and completely shut down an instance for 20 minutes. A little while later, my other server with them rebooted (instant start-up again). Vultr posted something on their blog about 15 minutes after my second server rebooted; no emails.
I've not had any notifications from Backupsy, but I don't know enough about them to know if they were ever effected. I didn't notice any reboots, however I don't closely monitor that server so I wouldn't notice a quick downtime.
The rest of my servers weren't affected.
@William, http://www.xenproject.org/security-policy.html has the list of companies informed early. The notice to these companies went out on the 11th of May. Now maybe someone was informed earlier elsewhere but I doubt it was much earlier than the 11th of May.
from fliphost at 11:21pm GMT +7 on the 13th of MAY
Hello there,
You're receiving this email because you have one or more services in one of our KVM nodes affected by the recently publicized VENOM vulnerability.
You may find further details on the vulnerability at http://venom.crowdstrike.com/
At the moment, it is crucial to your service integrity and stability for us to apply the relevant patches.
Query Foundry will be rebooting the affected KVM nodes in a urgent basis shortly after this message has reached you.
We apologize for any problems this might cause you, but this is truly out of our hands.
Thank you for understanding.
-- The Query Foundry team.
The monitoring tool have detected a downtime of 8 minutes on one of our kvm vps and after checking the log files, the hour of this downtime corresponds with the hour in the log, and i've confirmed a reboot that was executed by the node.
I guess that the provider have rebooted the node, but i haven't been warned.
So you're going to trust your clients not to escape into dom0 while the affected instances are running?
Hello,
I ended up sending an email issuing an immediate reboot :-).
Atlantic.net's cloud platform said reboot will be done on this date at this time if you don't reboot (their 99 cent/mo offer on LEB is pretty solid that I still have it and ordered 3 more services)
I opened a ticket at my KVM provider. I labeled it "FYI Only", now I regret that. There has been no response, but since the ticket is "FYI Only", it is reasonable not to expect a response. Still, I expect a reboot notice at some point.
I haven't heard anything about my cloud instance at Quadranet or vps at Leaseweb.
updated and rebooted all my 25 proxmox nodes.
send a mail to customers: no, thank you.
Back on 14th of May I had asked vstoike.ru if they're aware of the new attack, and they'd replied that they were and they're tackling the problem.
A few hours back I got another response from them stating that they'll make an announcement on planned works schedule, and that all servers are going to be updated.
OVH RunAbove KVM still up, no word of any planned patches or reboots.
Torqhost (Wavecom) got around to doing it today.
Just got an e-mail from RunAbove:
Just got RunAbove e-mail as well.
Me 3.
Me4!