Vulnerability CVE-2019-15902


Published: 2019-09-04

Description:
A backporting error was discovered in the Linux stable/longterm kernel 4.4.x through 4.4.190, 4.9.x through 4.9.190, 4.14.x through 4.14.141, 4.19.x through 4.19.69, and 5.2.x through 5.2.11. Misuse of the upstream "x86/ptrace: Fix possible spectre-v1 in ptrace_get_debugreg()" commit reintroduced the Spectre vulnerability that it aimed to eliminate. This occurred because the backport process depends on cherry picking specific commits, and because two (correctly ordered) code lines were swapped.

Type:

CWE-200

(Information Exposure)

CVSS2 => (AV:L/AC:M/Au:N/C:C/I:N/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
4.7/10
6.9/10
3.4/10
Exploit range
Attack complexity
Authentication
Local
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
Complete
None
None
Affected software
Opensuse -> LEAP 
Netapp -> Active iq performance analytics services 
Netapp -> Service processor 
Netapp -> Baseboard management controller firmware 
Linux -> Linux kernel 
Debian -> Debian linux 

 References:
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00064.html
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00066.html
https://grsecurity.net/teardown_of_a_failed_linux_lts_spectre_fix.php
https://lists.debian.org/debian-lts-announce/2019/10/msg00000.html
https://seclists.org/bugtraq/2019/Sep/41
https://security.netapp.com/advisory/ntap-20191004-0001/
https://www.debian.org/security/2019/dsa-4531

Copyright 2020, cxsecurity.com

 

Back to Top