A new security vulnerability was announced yesterday (CVE-2015-3456, nicknamed VENOM) in KVM/QEMU’s floppy disk controller emulation. It can theoretically allow an attacker to execute arbitrary code on the host but reproducers for this have not yet been seen.
We already have several mitigations in place for this kind of attack but have of course rolled out a fix for this vulnerability to all our hosts. All newly built cloud servers will have the update applied and will not be vulnerable, but existing cloud servers need stopping and starting for the update the take effect (not a reboot: a full shutdown, stop and start cycle).
We recommend that you schedule stop/starts of your own cloud servers asap. We’ll be monitoring the situation and may schedule enforced stop/starts of all outstanding cloud servers if the severity is escalated.
Updates to Cloud Load Balancers and Cloud SQL Instances are managed by us without interruption to service (or within the agreed scheduled maintenance windows). You don’t need to take any action for these.
