Oracle VirtualBox Zero-Day Vulnerability Leaked by Annoyed Researcher



Written by David Marshall

An independent researcher has discovered what he reports to be a zero-day vulnerability in VirtualBox, a popular general-purpose virtualization platform targeted at server, desktop and embedded use.

What's interesting here is that the researcher chose to publicly disclose the security hole rather than privately inform the vendor, which in the case of VirtualBox is Oracle.  He justified this act by calling it a reaction to his previous bad experience with Oracle.  Last year, he found and reported a vulnerability that took almost 15 months for the vendor to release a fix.  So this time, he took a different path of notification. 

Sergey Zelenyuk, the Russian researcher, said he discovered a security flaw in Oracle's VM VirtualBox that would allow someone to escape from the virtual environment of the guest machine to reach the Ring 3 privilege layer used for running code from most user programs with the least privileges.  The zero-day vulnerability could allow an attacker with root access to then gain access to the underlying OS.

The vulnerability is reported to exist in VirtualBox 5.2.20 and prior versions.


Cloudistics Announces Enhanced Security in its Cloud Platform

Grazed from Cloudistics

Cloudistics, an enterprise hybrid cloud computing company, announced the release of the Cloudistics Spark Guardian Edition operating system, a new security hardened, highly compliant OS that meets the strictest government security standards as part of the new Cloudistics 3.2 release.

"Cloudistics is now hardened to exceed the security requirements for many of the advanced federal contracts that are mandating a move to shared multi-tenanted cloud infrastructures," said Pete Jackson, Director DOD and IC Sales at Three Wire Systems. "We are seeing a huge demand for next-generation cloud computing like Cloudistics to meet the performance demands of real-time threat detection and prevention applications."

The Cloudistics Spark Guardian Edition OS was designed for customers in highly compliant sectors such as government and commercial customers in healthcare, finance, and insurance that require higher level government standard compliance certifications.

Xen Project Hypervisor Continues to Expand into Embedded Use Cases in Latest Release

Grazed from The Xen Project

The Xen Project, hosted at The Linux Foundation, today announced the release of Xen Project Hypervisor 4.8. The latest release focuses on advanced embedded use cases, features to support security-first environments and continued advancement in support of ARMv8-A based servers. Xen Project technology continues to see growth in these environments due to its flexibility, extensibility and customizability.

As the demand for 64-bit ARMv8-A data centers builds, Xen Project continues to lead by delivering advanced ARM server feature support. Xen Project Hypervisor 4.8 provides initial support for ARM server Live Patching. This allows users to apply security fixes to the Xen Project hypervisor without rebooting, providing five-to-nine reliability for ARM servers. The new feature, available as a preview, also supports the needs of security-first embedded uses cases, such as automotive and avionics.

Cloud Computing: Huawei Demos Open Network Hypervisor

Grazed from LightReading.  Author: Editorial Staff.

Huawei has successfully demonstrated its Open Network Hypervisor (OpenNH) solution during the Open Networking Summit 2015 in California.  The OpenNH is a Software-defined Networking (SDN)-based independent tenant virtual network solution which supports operators with accelerating service deployment, providing innovative open networks and enhancing secure separation between tenants, and reducing operation costs. If the solution is commercially used in the future, it will bring new business opportunities for network operators, data centers, and virtual operators.

As 4G evolves into 5G, the number of network users will increase sharply, particularly as more people leverage the Internet of Things. During this transition, operators will encounter a complex operating environment...

Cloud Computing: Nutanix hyper-converges upwards with bells, whistles and KVM

Grazed from TheRegister. Author: Chris Mellor.

In the name of server and storage efficiency, Nutanix has added KVM hypervisor support, erasure coding and new management to its hyper-converged systems, and promised VVOL-type integration, container and file-serving support. The aim is evidently to increase scale-out X86 server node, storage and admin efficiency, and top-level simplicity, by converging functionality stacks below the app and admin interfaces.

At its .NEXT conference in Miami, the city where DataCore is based, it announced its Xtreme Computing Platform (XCP) with Acropolis compute and storage software and its Prism management product. Acropolis consists of a customised KVM hypervisor, which along with ESXi and Hyper-V presents compute and storage services to guest OS’ and their applications...

HP Helion CloudSystem 9.0 expands support for multiple hypervisors, clouds

Grazed from WWPI. Author: Anna Riberio.

Hewlett-Packard announced updates to the HP Helion portfolio with debut of the HP Helion CloudSystem 9.0, an integrated enterprise cloud solution, and enhancements to HP Helion Managed Cloud Services to manage enterprise workloads in a secure hosted cloud environment.

HP Helion CloudSystem 9.0 expands support for multiple hypervisors and clouds to provide enterprises and service providers with maximum flexibility, HP announced Tuesday at the ongoing HP Discover 2015 conference. Additionally, HP Helion CloudSystem 9.0 integrates HP Helion OpenStack and the HP Helion Development Platform to provide customers an enterprise grade open source platform for cloud native application development and infrastructure...

New version of Xen hypervisor arrives for the cloud and enterprise

Grazed from ZDNet.  Author: Steven J. Vaughan-Nichols.

Xen, one of the oldest open-source hypervisors, has long been popular with major cloud services such as Amazon Web Services, Rackspace Public Cloud, and Verizon Cloud. Now, with improved performance, quality, security and scalability that today's cloud and enterprise data-center computing workloads demand.

In particular, for x86-based solutions this latest version offers improved cache monitoring technology. This, in turn, helps to resolve the "noisy neighbor" dilemma. A noisy neighbor is a virtual machine (VM), which demands more than its fair share of system resources thus slowing down other VMs.  The other significant new features and capabilities in Xen Project Hypervisor 4.5 include:...

Provider reboots call cloud computing hypervisor security into question

Grazed from TechTarget. Author: Rob Wright.

Following a series of unexpected reboots at several high-profile cloud computing service providers, cloud security experts warn that enterprises should prepare now to mitigate the effects of more security-related service disruptions in the future. Two weeks ago, Amazon Web Services Inc. notified its customers of an EC2 "maintenance update" that required a reboot of about 10% of its hosts globally.

The reboot applied a security update that corrected a flaw in the open source Xen hypervisor, which Amazon uses in its cloud architecture; the host servers required a system restart that rendered them unavailable "for a few minutes" while the patches were being applied, according to a blog post from Jeff Barr, chief evangelist for AWS...

Cloud Computing: VMware Adds Seven Analytics Content Packs to vCenter

Grazed from TalkinCloud. Author: Chris Talbot.

VMware (VMW) beefed up its analytics capabilities for machine data in its vCenter Log Insight product by releasing seven new content packs from various technology partners. The content packs were developed to enable vCenter Log Insight to consume unstructured data from a wider variety of sources while at the same time providing customers with more valuable insights into their data so they can more precisely and accurately identify and troubleshoot issues in virtual and cloud environments.

"Now our partners can target the broad VMware vSphere install base by augmenting VMware's analytics capabilities, and customers can go to our marketplace and get up-to date domain or purpose-built content packs for their specific deployments," said Ramin Sayar, senior vice president and general manager of cloud management at VMware, in a prepared statement...

Cloud Computing: Citrix and Industry Leaders Usher in New Era for Open Source Xen

Grazed from BusinessWire. Author: PR Announcement.

Citrix and The Linux Foundation today announced that open source community development for the Xen(R) virtualization platform will become a Linux Foundation Collaborative Project. Leveraging its proven model of collaborative development for the new Xen Project(TM) initiative, The Linux Foundation will provide infrastructure, guidance and a collaborative network. The neutral, member-led community will help accelerate cross-industry innovation around the Xen Project hypervisor, bringing guidance and contributions from a more diverse group of technology leaders.

Over the past decade, collaborative innovations in cloud computing, security and advanced processor support have made Xen the most scalable and secure hypervisor in the industry. It is these innovations that have led to the adoption of Xen and Citrix XenServer(R) as the platforms for powering approximately two-thirds of the public cloud revenue in the world. The initial set of supporters demonstrates the broad reach the technology has had in the marketplace. With more than 10 years of development and in use by more than 10 million users, the open source technology attracts contributions from organizations such as Amazon, AMD, Cambridge University, Citrix, Fujitsu, Intel, National Security Agency (NSA), Oracle and SUSE...