CVE-2019-5489

medium

Description

The mincore() implementation in mm/mincore.c in the Linux kernel through 4.19.13 allowed local attackers to observe page cache access patterns of other processes on the same system, potentially allowing sniffing of secret information. (Fixing this affects the output of the fincore program.) Limited remote exploitation may be possible, as demonstrated by latency differences in accessing public files from an Apache HTTP Server.

References

https://www.theregister.co.uk/2019/01/05/boffins_beat_page_cache/

https://www.oracle.com/security-alerts/cpujul2020.html

https://www.debian.org/security/2019/dsa-4465

https://security.netapp.com/advisory/ntap-20190307-0001/

https://seclists.org/bugtraq/2019/Jun/26

https://lists.debian.org/debian-lts-announce/2019/06/msg00011.html

https://lists.debian.org/debian-lts-announce/2019/06/msg00010.html

https://github.com/torvalds/linux/commit/574823bfab82d9d8fa47f422778043fbb4b4f50e

https://bugzilla.suse.com/show_bug.cgi?id=1120843

https://arxiv.org/abs/1901.01161

https://access.redhat.com/errata/RHSA-2020:0204

https://access.redhat.com/errata/RHSA-2019:4255

https://access.redhat.com/errata/RHSA-2019:4164

https://access.redhat.com/errata/RHSA-2019:4159

https://access.redhat.com/errata/RHSA-2019:4058

https://access.redhat.com/errata/RHSA-2019:4057

https://access.redhat.com/errata/RHSA-2019:4056

https://access.redhat.com/errata/RHSA-2019:3967

https://access.redhat.com/errata/RHSA-2019:3517

https://access.redhat.com/errata/RHSA-2019:3309

https://access.redhat.com/errata/RHSA-2019:2837

https://access.redhat.com/errata/RHSA-2019:2809

https://access.redhat.com/errata/RHSA-2019:2808

https://access.redhat.com/errata/RHSA-2019:2473

https://access.redhat.com/errata/RHSA-2019:2043

https://access.redhat.com/errata/RHSA-2019:2029

http://www.securityfocus.com/bid/106478

http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20200115-01-pagecache-en

http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00048.html

http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00039.html

http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00071.html

http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=574823bfab82d9d8fa47f422778043fbb4b4f50e

Details

Source: Mitre, NVD

Published: 2019-01-07

Risk Information

CVSS v2

Base Score: 2.1

Vector: CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N

Severity: Low

CVSS v3

Base Score: 5.5

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Severity: Medium