Oracle has released patches for its virtualisation software to crimp the VENOM vulnerability that allows attackers to break out of virtual machines to attack hosts.

The company follows a host of others including KVM and Xen which have patched the buffer overflow bug. VMware, Microsoft, and Bochs are immune to the problem.

Researcher Jason Geffner of threat intelligence outfit Crowdstrike quietly tipped off vendors including Oracle to VENOM (Virtualised Environment Neglected Operations Manipulation) (CVE-2015-3456) and notified the Oracle, QEMU, and Xen mailing lists.

“The vulnerable virtual Floppy Disk Controller (FDC) code is included in various virtualisation platforms and is used in some Oracle products,” the company says in a patch advisory.

“The vulnerability may be exploitable by an attacker who has access to an account on the guest operating system with privilege to access the FDC.

The vulnerability can only be remotely exploited if attackers are logged into a box but Oracle still considers it severe enough to “strongly recommend” customers apply the patches and reboot as soon as possible.

That limitation prevented mass exploitation.

Affected versions include VirtualBox 3.2, 4.0, 4.1, 4.2, and 4.3 prior to 4.3.28; Oracle VM 2.2, 3.2, and 3.3, and Oracle Linux 5, 6, and 7.