Oracle has released patches for its virtualisation software to crimp the VENOM vulnerability that allows attackers to break out of virtual machines to attack hosts.

The company follows a host of others including KVM and Xen which have patched the buffer overflow bug. VMware, Microsoft, and Bochs are immune to the problem.

Researcher Jason Geffner of threat intelligence outfit Crowdstrike quietly tipped off vendors including Oracle to VENOM (Virtualised Environment Neglected Operations Manipulation) (CVE-2015-3456) and notified the Oracle, QEMU, and Xen mailing lists.

"The vulnerable virtual Floppy Disk Controller (FDC) code is included in various virtualisation platforms and is used in some Oracle products," the company says in a patch advisory.

"The vulnerability may be exploitable by an attacker who has access to an account on the guest operating system with privilege to access the FDC.

"The attacker may be able to send malicious code to the FDC that is executed in the context of the hypervisor process on the host operating system."

The vulnerability can only be remotely exploited if attackers are logged into a box but Oracle still considers it severe enough to "strongly recommend" customers apply the patches and reboot as soon as possible.

That limitation prevented mass exploitation.

Affected versions include VirtualBox 3.2, 4.0, 4.1, 4.2, and 4.3 prior to 4.3.28; Oracle VM 2.2, 3.2, and 3.3, and Oracle Linux 5, 6, and 7.

Further diluting the potency of VENOM is the immunity of AWS Xen instances.

Trustwave threat intelligence manager Karl Sigler says the bug is similar to a privilege escalation bug in that it requires is predicated on existing access to virtual machines.

"Most corporate virtual environments are isolated from anonymous or public access and would be immune to attack," Sigler told El Reg.

"I would see this attack typically used to target hosting companies that use virtual environments like KVM. An attacker would purchase a KVM instance then use VENOM to breach the hosting machine." ®