I saw the advisory stating that EC2 instances are not vulnerable to VENOM.
My understanding is that EC2 runs on Xen, and that VENOM affects XEN.
Can anyone explain why EC2 is not vulnerable? Do they remove the floppy drive emulation? Or did they just patch, so they were vulnerable, but now they are not?
Amazon advisory links to the original XEN advisory on which one can read:
Systems running only x86 PV guests are not vulnerable.
So no problem for the PV instances. Regarding the HVM ones, Amazon explains that for performance reasons they managed to replace the HVM hardware drivers by the PV ones for storage and network operations (see PV on HVM).
Luckily enough, this vulnerability affects the storage emulation code. So most probable explanation is that this performance tweak actually also avoided VENOM vulnerability.
