Venom Vulnerability and SiteGround Cloud and VPS Accounts

vulnerability-fixed-venom

A serious security issue in one of the world's most popular machine emulator and virtualizer QEMU, used by the most popular virtualization systems - KVM, Xen and others has been discovered. The so-called Venom attack allows an user with root access to his/her virtual machine to gain root access to the entire host node under special circumstances. An official patch of for qemu-kvm has already been released and it fixes the vulnerability.

How This Affects SiteGround Customers?

As we wrote in a blog post in January, we have switched our former VPS service to a new cloud hosting platform running on Linux containers. This platform does not use KVM or any other virtualization method, as it is based on Linux containers, which means that all SiteGround customers that launched their cloud plan after January 21st 2015, are not affected in any way by this vulnerability.

However, our VPS and Cloud accounts ordered before the launch of our new container-based service are still using the KVM-based virtualization. The good news is that in order to gain root access to a VPS node, the attacker needs root access to at least one of the virtual machines on this node. For security reasons that now pay off, we do not provide such access to our VPS and cloud users. This means that even if you are on a SiteGround KVM-based machine, we've still got you covered.

Nevertheless, the vulnerability exists and it has to be patched. This is why our security team have been working around the clock since the exploit has been announced. The official patch has been tested and we're currently deploying it on all KVM-based accounts that we have. The patch requires a reboot of the virtual machine in order to be applied, which will result in approximately 2 to 3 minutes downtime per account. If your account is affected by this security reboot, you will be notified in your User Area.

Product Development - Technical

Enthusiastic about all Open Source applications you can think of, but mostly about WordPress. Add a pinch of love for web design, new technologies, search engine optimisation and you are pretty much there!

5 Comments

  1. Reply May 17, 2015 / 13:28 mel ausmanSiteGround Team

    Why is it that you are not supporting the latest Moodle updates with your databases? Moodle 2.9 requires the database file format update from Antelope to Barracuda. After talking with your tech person they will not update and my only choice is to get a very expensive update to my account. I've been updating the databases over the years as there has been many changes.

    After researching this I found that Barracuda will be the standard.

    Your are alienating the educational establishment and teachers like me that have been using Moodle at your site for 8-10 years. I actually transferred to your site from GoDaddy.

    You have Moodle 2.9 in the Softaculous App.

    • Reply May 19, 2015 / 02:38 Hristo PandjarovSiteGround Team

      We will definitelly look into this, thanks for your feedback!

      • June 22, 2015 / 03:17 JoseSiteGround Team

        any update on this? I also need a hosting partner who is willing to upgrade the moodle database from antelope to barracuda. If not, siteground is not the hosting partner for us anymore and we will have to end our hosting contracts with siteground.

        Cannot believe this is such an issue for siteground!

      • June 23, 2015 / 01:05 Hristo PandjarovSiteGround Team

        The database update is only recommended but not mandatory for the latest Moodle version. This means that it can work just fine on the current setup. For further information about how to setup the application, please contact us via the Help Desk.

  2. Reply April 14, 2017 / 07:24 JackSiteGround Team

    Well it is a requirement now for Moodle 3.2+

Reply

* (Required)