CVE-2019-15902
Last modified
CVE-2019-15902 is a medium-severity vulnerability rated 5.6/10 on the CVSS scale. A backporting error was discovered in the Linux stable/longterm kernel 4.4.x through 4.4.190, 4.9.x through 4.9.190, 4.14.x through 4.14.141, 4.19.x through 4.19.69, and 5.2.x through 5.2.11. Misuse of the upstream "x86/ptrace: Fix possible spectre-v1 in ptrace_get_debugreg()" commit reintroduced the Spectre vulnerability that it aimed to eliminate. EPSS estimates a 0.59% chance of exploitation in the next 30 days.
Description
A backporting error was discovered in the Linux stable/longterm kernel 4.4.x through 4.4.190, 4.9.x through 4.9.190, 4.14.x through 4.14.141, 4.19.x through 4.19.69, and 5.2.x through 5.2.11. Misuse of the upstream "x86/ptrace: Fix possible spectre-v1 in ptrace_get_debugreg()" commit reintroduced the Spectre vulnerability that it aimed to eliminate. This occurred because the backport process depends on cherry picking specific commits, and because two (correctly ordered) code lines were swapped.
Metrics
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Linux | Linux Kernel | >= 4.4, <= 4.4.190 |
| Linux | Linux Kernel | >= 4.9, <= 4.9.190 |
| Linux | Linux Kernel | >= 4.14, <= 4.14.141 |
| Linux | Linux Kernel | >= 4.19, <= 4.19.69 |
| Linux | Linux Kernel | >= 5.2, <= 5.2.11 |
| Netapp | Active Iq Performance Analytics Services | All versions |
| Netapp | Service Processor | All versions |
| Debian | Debian Linux | 8.0 |
| Debian | Debian Linux | 9.0 |
| Debian | Debian Linux | 10.0 |
| Opensuse | Leap | 15.0 |
| Opensuse | Leap | 15.1 |
| Netapp | Baseboard Management Controller Firmware | All versions |
References
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00064.htmlThird Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00066.htmlThird Party Advisory
- https://grsecurity.net/teardown_of_a_failed_linux_lts_spectre_fix.phpExploit, Patch, Third Party Advisory
- https://lists.debian.org/debian-lts-announce/2019/10/msg00000.htmlThird Party Advisory
- https://seclists.org/bugtraq/2019/Sep/41Mailing List, Third Party Advisory
- https://security.netapp.com/advisory/ntap-20191004-0001/Third Party Advisory
- https://www.debian.org/security/2019/dsa-4531Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00064.htmlThird Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00066.htmlThird Party Advisory
- https://grsecurity.net/teardown_of_a_failed_linux_lts_spectre_fix.phpExploit, Patch, Third Party Advisory
- https://lists.debian.org/debian-lts-announce/2019/10/msg00000.htmlThird Party Advisory
- https://seclists.org/bugtraq/2019/Sep/41Mailing List, Third Party Advisory
- https://security.netapp.com/advisory/ntap-20191004-0001/Third Party Advisory
- https://www.debian.org/security/2019/dsa-4531Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2019-15902?
How severe is CVE-2019-15902?
How do I fix CVE-2019-15902?
Are you affected by CVE-2019-15902?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST