On May 13, 2015, a vulnerability was disclosed in the QEMU Floppy Drive Controller that, when exploited, could allow an attacker to escape a virtual machine on certain open source hypervisors. CVE-2015-3456 (VENOM) has been assigned for this vulnerability.
The areas of investigation for remediation for Electra clients are:
1. Clients’ own computer systems
2. Electra’s hosted systems
With respect to client installed Electra Reconciliation software (OpenStaars), there is no vulnerability per se because the vulnerability is in the operating system software and not in the application software. Electra encourages its customers to apply the appropriate patches which are now widely available to mitigate risk for this vulnerability.
For its own systems, the software running at NaviSite is not running any of the affected hypervisors. The systems at Rackspace and Amazon have already been patched.
We take the responsibility of keeping your information protected very seriously at Electra Information Systems. We would like to assure you that with regards to the Venom bug:
1) Your account is secure
2) Your account details were not exposed in the past and will remain secure
3) You do not need to take any additional action to safeguard your information
4) There is no need to change your password
5) All servers have been patched to avoid other potential exploits of this bug