Oracle has issued guidance for the highly publicised Venom vulnerability in a bid to assure customers that its virtual environments and cloud servers are safe.
Eric Maurice, software security assurance director at Oracle, issued the guidance in a blog post, promising customers that the firm will release patches for all affected products in the near future.
"Oracle has also published a list of Oracle products that may be affected by this vulnerability. This list will be updated as fixes become available," read the advisory.
"The Oracle security and development teams are also working with the Oracle cloud teams to ensure that the Oracle cloud teams can evaluate these fixes as they become available and be able to apply the relevant patches."
Venom is a decade-old vulnerability in the native QEMU, Xen and KVM virtual machine platforms and appliances that was uncovered by researchers at CrowdStrike.
The flaw is believed to be particularly dangerous as attackers could use it to break out of protected guest virtual environments and hijack control of the operating system hosting them.
"Successful exploitation could provide the malicious attacker, who has privileges to access the FDC on a guest operating system, with the ability to completely take over the targeted host system," explained Maurice.
"As a result, a successful exploitation of the vulnerability can allow a malicious attacker to escape the confine of the virtual environment for which he/she had privileges."
The advisory listed Oracle Database Appliance [Product ID 9435], Oracle Exadata Database Machine [Product ID 2546], Oracle Exalogic Elastic Cloud [Product ID 9415], Oracle Exalytics In-Memory Machine [Product ID 9736] as being the only products vulnerable to Venom without patches.
The seriousness of the flaw led some industry commentators to list Venom as a "Heartbleed level flaw".
Heartbleed is a flaw in the OpenSSL implementation of the transport layer security protocol used by open source web servers such as Apache and Nginx, which host around 66 percent of all sites.
However, security researchers told V3 that the link between Venom and Heartbleed is negligible, pointing out that there are no attacks in the wild targeting it and that in most instances it is not exploitable remotely.
Users are told that their non-existent 'iPhoneID' is expiring soon
Expansion of SDK intended to expand Amazon Alexa ecosystem
Locky returns from a prolonged rest with two new variants
AMD lambasted over Radeon RX Vega pricing that will add an extra £100 to RX Vega 56 and 64 graphics cards
Company accused of failing to tell anyone that the launch prices were only introductory offers