CVE-2019-14821
First published: Thu Aug 29 2019(Updated: )
An out-of-bounds access issue was found in the Linux kernel, all versions through 5.3, in the way Linux kernel's KVM hypervisor implements the Coalesced MMIO write operation. It operates on an MMIO ring buffer 'struct kvm_coalesced_mmio' object, wherein write indices 'ring->first' and 'ring->last' value could be supplied by a host user-space process. An unprivileged host user or process with access to '/dev/kvm' device could use this flaw to crash the host kernel, resulting in a denial of service or potentially escalating privileges on the system.
Credit: secalert@redhat.com secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/kernel | <0:2.6.32-754.25.1.el6 | 0:2.6.32-754.25.1.el6 |
| redhat/kernel-rt | <0:3.10.0-1062.7.1.rt56.1030.el7 | 0:3.10.0-1062.7.1.rt56.1030.el7 |
| redhat/kernel | <0:3.10.0-1062.7.1.el7 | 0:3.10.0-1062.7.1.el7 |
| redhat/kernel-alt | <0:4.14.0-115.16.1.el7a | 0:4.14.0-115.16.1.el7a |
| redhat/kernel | <0:3.10.0-957.56.1.el7 | 0:3.10.0-957.56.1.el7 |
| redhat/kernel-rt | <0:4.18.0-147.rt24.93.el8 | 0:4.18.0-147.rt24.93.el8 |
| redhat/kernel | <0:4.18.0-147.el8 | 0:4.18.0-147.el8 |
| redhat/kernel | <0:4.18.0-80.15.1.el8_0 | 0:4.18.0-80.15.1.el8_0 |
| Linux Kernel | >=2.6.27<=3.15.10 | |
| Linux Kernel | >=3.16<3.16.74 | |
| Linux Kernel | >=4.4<4.4.194 | |
| Linux Kernel | >=4.9<4.9.194 | |
| Linux Kernel | >=4.14<4.14.146 | |
| Linux Kernel | >=4.19<4.19.75 | |
| Linux Kernel | >=5.2<5.2.17 | |
| Linux Kernel | >=5.3<5.3.1 | |
| Linux Kernel | =5.4-rc1 | |
| redhat virtualization host | =4.0 | |
| Red Hat Enterprise Linux | =8.0 | |
| redhat enterprise Linux desktop | =6.0 | |
| redhat enterprise Linux desktop | =7.0 | |
| redhat enterprise Linux eus | =7.7 | |
| redhat enterprise Linux for real time | =7 | |
| redhat enterprise Linux for real time | =8 | |
| redhat enterprise Linux server | =6.0 | |
| redhat enterprise Linux server | =7.0 | |
| redhat enterprise Linux server aus | =7.7 | |
| redhat enterprise Linux server tus | =7.7 | |
| redhat enterprise Linux workstation | =6.0 | |
| redhat enterprise Linux workstation | =7.0 | |
| Ubuntu Linux | =14.04 | |
| Ubuntu Linux | =16.04 | |
| Ubuntu Linux | =18.04 | |
| Ubuntu Linux | =19.04 | |
| openSUSE | =15.0 | |
| openSUSE | =15.1 | |
| Fedoraproject Fedora | =29 | |
| Fedoraproject Fedora | =30 | |
| Debian GNU/Linux | =8.0 | |
| Debian GNU/Linux | =9.0 | |
| Debian GNU/Linux | =10.0 | |
| All of | ||
| NetApp AFF A700s Firmware | ||
| NetApp AFF A700s Firmware | ||
| All of | ||
| netapp h300s firmware | ||
| netapp h300s | ||
| All of | ||
| NetApp H500S Firmware | ||
| netapp h500s | ||
| All of | ||
| netapp h700s firmware | ||
| netapp h700s | ||
| All of | ||
| netapp h300e firmware | ||
| netapp h300e | ||
| All of | ||
| netapp h500e firmware | ||
| netapp h500e | ||
| All of | ||
| netapp h700e firmware | ||
| netapp h700e | ||
| All of | ||
| netapp h410s firmware | ||
| netapp h410s | ||
| All of | ||
| netapp h410c firmware | ||
| netapp h410c | ||
| All of | ||
| netapp h610s firmware | ||
| netapp h610s | ||
| netapp data availability services | ||
| netapp hci management node | ||
| netapp solidfire | ||
| Oracle SD-WAN Edge | =7.3 | |
| Oracle SD-WAN Edge | =8.0 | |
| Oracle SD-WAN Edge | =8.1 | |
| Oracle SD-WAN Edge | =8.2 | |
| debian/linux | 5.10.223-1 5.10.226-1 6.1.123-1 6.1.128-1 6.12.12-1 6.12.13-1 | |
| Ubuntu | =14.04 | |
| Ubuntu | =16.04 | |
| Ubuntu | =18.04 | |
| Ubuntu | =19.04 | |
| Fedora | =29 | |
| Fedora | =30 | |
| Debian | =8.0 | |
| Debian | =9.0 | |
| Debian | =10.0 | |
| NetApp AFF A700s Firmware | ||
| NetApp AFF A700s Firmware | ||
| netapp h300s firmware | ||
| netapp h300s | ||
| NetApp H500S Firmware | ||
| netapp h500s | ||
| netapp h700s firmware | ||
| netapp h700s | ||
| netapp h300e firmware | ||
| netapp h300e | ||
| netapp h500e firmware | ||
| netapp h500e | ||
| netapp h700e firmware | ||
| netapp h700e | ||
| netapp h410s firmware | ||
| netapp h410s | ||
| netapp h410c firmware | ||
| netapp h410c | ||
| netapp h610s firmware | ||
| netapp h610s |
Remedy
Restrict access to the '/dev/kvm' device to trusted users.
Remedy
Ensure that untrusted users cannot write to the /dev/kvm device
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2019-14821 https://nvd.nist.gov/vuln/detail/CVE-2019-14821
- https://bugzilla.redhat.com/show_bug.cgi?id=1746708
- https://access.redhat.com/errata/RHSA-2019:4256
- https://access.redhat.com/errata/RHSA-2019:3978
- https://access.redhat.com/errata/RHSA-2019:3979
- https://access.redhat.com/errata/RHSA-2019:4154
- https://access.redhat.com/errata/RHSA-2020:0027
- https://access.redhat.com/errata/RHSA-2020:2851
- https://access.redhat.com/errata/RHSA-2019:3309
- https://access.redhat.com/errata/RHSA-2019:3517
- https://access.redhat.com/errata/RHSA-2020:0204
- https://access.redhat.com/security/cve/cve-2019-14821
- http://packetstormsecurity.com/files/154951/Kernel-Live-Patch-Security-Notice-LSN-0058-1.html
- http://packetstormsecurity.com/files/155212/Slackware-Security-Advisory-Slackware-14.2-kernel-Updates.html
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://seclists.org/bugtraq/2019/Sep/41
- https://seclists.org/bugtraq/2019/Nov/11
- https://www.debian.org/security/2019/dsa-4531
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TRZQQQANZWQMPILZV7OTS3RGGRLLE2Q7/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YW3QNMPENPFEGVTOFPSNOBL7JEIJS25P/
- https://usn.ubuntu.com/4157-1/
- https://usn.ubuntu.com/4157-2/
- https://usn.ubuntu.com/4162-1/
- https://usn.ubuntu.com/4162-2/
- https://usn.ubuntu.com/4163-1/
- https://usn.ubuntu.com/4163-2/
- https://lists.debian.org/debian-lts-announce/2019/09/msg00025.html
- https://lists.debian.org/debian-lts-announce/2019/10/msg00000.html
- http://www.openwall.com/lists/oss-security/2019/09/20/1
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14821
- https://security.netapp.com/advisory/ntap-20191004-0001/
- http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00037.html
- http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00036.html
- https://launchpad.net/bugs/cve/CVE-2019-14821
- https://git.kernel.org/pub/scm/virt/kvm/kvm.git/commit/?id=b60fe990c6b07ef6d4df67bc0530c7c90a62623a
- https://www.openwall.com/lists/oss-security/2019/09/20/1
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1753596
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14821
- https://nvd.nist.gov/vuln/detail/CVE-2019-14821
- https://security-tracker.debian.org/tracker/CVE-2019-14821
- https://ubuntu.com/security/CVE-2019-14821
- https://git.kernel.org/linus/b60fe990c6b07ef6d4df67bc0530c7c90a62623a
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is the severity of CVE-2019-14821?
CVE-2019-14821 is rated as high severity based on its impact on the security and stability of the Linux kernel.
How do I fix CVE-2019-14821?
To fix CVE-2019-14821, you should upgrade to a patched version of the kernel that addresses this vulnerability.
Which Linux kernel versions are affected by CVE-2019-14821?
CVE-2019-14821 affects all versions of the Linux kernel up to 5.3.
Is CVE-2019-14821 exploitable remotely?
CVE-2019-14821 may be exploited locally, but it is not typically considered a remote attack vulnerability.
What components of the Linux kernel are impacted by CVE-2019-14821?
CVE-2019-14821 specifically impacts the KVM hypervisor within the Linux kernel, particularly in its handling of Coalesced MMIO write operations.
- collector/redhat-cve
- agent/type
- collector/launchpad-cve
- source/Launchpad
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2019-14821
- agent/first-publish-date
- agent/weakness
- agent/author
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/remedy
- agent/references
- collector/usn-cve
- source/Ubuntu
- agent/description
- agent/last-modified-date
- agent/trending
- agent/source
- agent/event
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- agent/tags
- collector/nvd-api
- collector/nvd-index
- package-manager/redhat
- vendor/linux
- canonical/linux kernel
- version/linux kernel/2.6.27
- version/linux kernel/3.15.10
- version/linux kernel/3.16
- version/linux kernel/4.4
- version/linux kernel/4.9
- version/linux kernel/4.14
- version/linux kernel/4.19
- version/linux kernel/5.2
- version/linux kernel/5.3
- version/linux kernel/5.4-rc1
- vendor/redhat
- canonical/redhat virtualization host
- version/redhat virtualization host/4.0
- canonical/red hat enterprise linux
- version/red hat enterprise linux/8.0
- canonical/redhat enterprise linux desktop
- version/redhat enterprise linux desktop/6.0
- version/redhat enterprise linux desktop/7.0
- canonical/redhat enterprise linux eus
- version/redhat enterprise linux eus/7.7
- canonical/redhat enterprise linux for real time
- version/redhat enterprise linux for real time/7
- version/redhat enterprise linux for real time/8
- canonical/redhat enterprise linux server
- version/redhat enterprise linux server/6.0
- version/redhat enterprise linux server/7.0
- canonical/redhat enterprise linux server aus
- version/redhat enterprise linux server aus/7.7
- canonical/redhat enterprise linux server tus
- version/redhat enterprise linux server tus/7.7
- canonical/redhat enterprise linux workstation
- version/redhat enterprise linux workstation/6.0
- version/redhat enterprise linux workstation/7.0
- vendor/canonical
- canonical/ubuntu linux
- version/ubuntu linux/14.04
- version/ubuntu linux/16.04
- version/ubuntu linux/18.04
- version/ubuntu linux/19.04
- vendor/opensuse
- canonical/opensuse
- version/opensuse/15.0
- version/opensuse/15.1
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/29
- version/fedoraproject fedora/30
- vendor/debian
- canonical/debian gnu/linux
- version/debian gnu/linux/8.0
- version/debian gnu/linux/9.0
- version/debian gnu/linux/10.0
- vendor/netapp
- canonical/netapp aff a700s firmware
- canonical/netapp h300s firmware
- canonical/netapp h300s
- canonical/netapp h500s firmware
- canonical/netapp h500s
- canonical/netapp h700s firmware
- canonical/netapp h700s
- canonical/netapp h300e firmware
- canonical/netapp h300e
- canonical/netapp h500e firmware
- canonical/netapp h500e
- canonical/netapp h700e firmware
- canonical/netapp h700e
- canonical/netapp h410s firmware
- canonical/netapp h410s
- canonical/netapp h410c firmware
- canonical/netapp h410c
- canonical/netapp h610s firmware
- canonical/netapp h610s
- canonical/netapp data availability services
- canonical/netapp hci management node
- canonical/netapp solidfire
- vendor/oracle
- canonical/oracle sd-wan edge
- version/oracle sd-wan edge/7.3
- version/oracle sd-wan edge/8.0
- version/oracle sd-wan edge/8.1
- version/oracle sd-wan edge/8.2
- package-manager/debian
- canonical/ubuntu
- version/ubuntu/14.04
- version/ubuntu/16.04
- version/ubuntu/18.04
- version/ubuntu/19.04
- canonical/fedora
- version/fedora/29
- version/fedora/30
- canonical/debian
- version/debian/8.0
- version/debian/9.0
- version/debian/10.0