CVE-2019-14818
First published: Mon Aug 05 2019(Updated: )
A flaw was found in all dpdk version 17.x.x before 17.11.8, 16.x.x before 16.11.10, 18.x.x before 18.11.4 and 19.x.x before 19.08.1 where a malicious master, or a container with access to vhost_user socket, can send specially crafted VRING_SET_NUM messages, resulting in a memory leak including file descriptors. This flaw could lead to a denial of service condition.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/dpdk | <17.11.8 | 17.11.8 |
| redhat/dpdk | <16.11.10 | 16.11.10 |
| redhat/dpdk | <18.11.4 | 18.11.4 |
| redhat/dpdk | <19.08.1 | 19.08.1 |
| Dpdk Data Plane Development Kit | >=16.04<16.11.10 | |
| Dpdk Data Plane Development Kit | >=17.02<17.11.8 | |
| Dpdk Data Plane Development Kit | >=18.02<18.11.4 | |
| Dpdk Data Plane Development Kit | >=19.02<19.08.1 | |
| Redhat Enterprise Linux Fast Datapath | =7.0 | |
| Redhat Enterprise Linux Fast Datapath | =8.0 | |
| Redhat Openstack | =10 | |
| Redhat Virtualization Eus | =4.2 | |
| Fedoraproject Fedora | =31 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://access.redhat.com/errata/RHSA-2020:0165
- https://access.redhat.com/errata/RHSA-2020:0166
- https://access.redhat.com/errata/RHSA-2020:0168
- https://access.redhat.com/errata/RHSA-2020:0171
- https://access.redhat.com/errata/RHSA-2020:0172
- https://bugs.dpdk.org/show_bug.cgi?id=363
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14818
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ULJ3C7OVBOEVDGSHYC3VCLSUHANGTFFP/
- https://git.dpdk.org/dpdk/commit/?id=612e17cf6d7b
- https://git.dpdk.org/dpdk/commit/?id=bf472259dde6
- https://git.dpdk.org/dpdk-stable/commit/?h=19.08&id=fa674d08985f
- https://git.dpdk.org/dpdk-stable/commit/?h=19.08&id=6547dd563ea9
- https://git.dpdk.org/dpdk-stable/commit/?h=18.11&id=70583a6b9b1c
- https://git.dpdk.org/dpdk-stable/commit/?h=18.11&id=f8898927bb16
- https://git.dpdk.org/dpdk-stable/commit/?h=17.11&id=3b1b44a1c82a
- https://git.dpdk.org/dpdk-stable/commit/?h=17.11&id=8a8dbd0ec19e
- https://git.dpdk.org/dpdk-stable/commit/?h=17.11&id=1f6147d9a01f
- https://git.dpdk.org/dpdk-stable/commit/?h=16.11&id=5fbb5c2919b6
- https://git.dpdk.org/dpdk-stable/commit/?h=16.11&id=3863340f93b8
- https://git.dpdk.org/dpdk-stable/commit/?h=16.11&id=8790f4c3bcd2
- https://git.dpdk.org/dpdk-stable/commit/?h=16.11&id=1bf11cfb7c7c
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1771929
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1771930
- https://access.redhat.com/security/cve/cve-2019-14818
- https://access.redhat.com/errata/RHSA-2020:1226
- https://access.redhat.com/errata/RHSA-2020:1735
- https://bugzilla.redhat.com/show_bug.cgi?id=1737327
Frequently Asked Questions
What is CVE-2019-14818?
CVE-2019-14818 is a vulnerability in dpdk versions 17.x.x before 17.11.8, 16.x.x before 16.11.10, 18.x.x before 18.11.4, and 19.x.x before 19.08.1 that can result in a memory leak.
What is the severity of CVE-2019-14818?
CVE-2019-14818 has a severity of 7.5 (high).
How can a malicious attacker exploit CVE-2019-14818?
A malicious master or a container with access to vhost_user socket can send specially crafted VRING_SET_NUM messages to exploit CVE-2019-14818.
How can I fix CVE-2019-14818?
To fix CVE-2019-14818, update to dpdk version 17.11.8, 16.11.10, 18.11.4, or 19.08.1.
Where can I find more information about CVE-2019-14818?
You can find more information about CVE-2019-14818 at the following references: [1] [2] [3].
- agent/author
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/type
- agent/weakness
- collector/nvd-index
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2019-14818
- agent/software-canonical-lookup
- vendor/dpdk
- canonical/dpdk data plane development kit
- version/dpdk data plane development kit/16.04
- version/dpdk data plane development kit/17.02
- version/dpdk data plane development kit/18.02
- version/dpdk data plane development kit/19.02
- vendor/redhat
- canonical/redhat enterprise linux fast datapath
- version/redhat enterprise linux fast datapath/7.0
- version/redhat enterprise linux fast datapath/8.0
- canonical/redhat openstack
- version/redhat openstack/10
- canonical/redhat virtualization eus
- version/redhat virtualization eus/4.2
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/31
- package-manager/redhat