Oracle has issued guidance for the highly publicised Venom vulnerability in a bid to assure customers that its virtual environments and cloud servers are safe.
Eric Maurice, software security assurance director at Oracle, issued the guidance in a blog post, promising customers that the firm will release patches for all affected products in the near future.
"Oracle has also published a list of Oracle products that may be affected by this vulnerability. This list will be updated as fixes become available," read the advisory.
"The Oracle security and development teams are also working with the Oracle cloud teams to ensure that the Oracle cloud teams can evaluate these fixes as they become available and be able to apply the relevant patches."
Venom is a decade-old vulnerability in the native QEMU, Xen and KVM virtual machine platforms and appliances that was uncovered by researchers at CrowdStrike.
The flaw is believed to be particularly dangerous as attackers could use it to break out of protected guest virtual environments and hijack control of the operating system hosting them.
"Successful exploitation could provide the malicious attacker, who has privileges to access the FDC on a guest operating system, with the ability to completely take over the targeted host system," explained Maurice.
"As a result, a successful exploitation of the vulnerability can allow a malicious attacker to escape the confine of the virtual environment for which he/she had privileges."
The advisory listed Oracle Database Appliance [Product ID 9435], Oracle Exadata Database Machine [Product ID 2546], Oracle Exalogic Elastic Cloud [Product ID 9415], Oracle Exalytics In-Memory Machine [Product ID 9736] as being the only products vulnerable to Venom without patches.
The seriousness of the flaw led some industry commentators to list Venom as a "Heartbleed level flaw".
Heartbleed is a flaw in the OpenSSL implementation of the transport layer security protocol used by open source web servers such as Apache and Nginx, which host around 66 percent of all sites.
However, security researchers told V3 that the link between Venom and Heartbleed is negligible, pointing out that there are no attacks in the wild targeting it and that in most instances it is not exploitable remotely.
Why does Facebook store "my entire call history with my partner's mum", asks developer who requested his Facebook data
Facebook database included text-message metadata - despite not using Facebook Messenger for SMS
Before Ocado could start selling the technology it had developed to other retailers, it had to tear down and rebuild its own monolithic architecture
Successful attack could result in harm to patients and financial loss, warns NHS governing body
Guccifer 2.0 claimed to be a lone Romanian hacker - until a schoolboy error gave him, her or them away