CVE-2019-19922
First published: Sun Dec 22 2019(Updated: )
kernel/sched/fair.c in the Linux kernel before 5.3.9, when cpu.cfs_quota_us is used (e.g., with Kubernetes), allows attackers to cause a denial of service against non-cpu-bound applications by generating a workload that triggers unwanted slice expiration, aka CID-de53fd7aedb1. (In other words, although this slice expiration would typically be seen with benign workloads, it is possible that an attacker could calculate how many stray requests are required to force an entire Kubernetes cluster into a low-performance state caused by slice expiration, and ensure that a DDoS attack sent that number of stray requests. An attack does not affect the stability of the kernel; it only causes mismanagement of application execution.)
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/kernel-alt | <0:4.14.0-115.19.1.el7a | 0:4.14.0-115.19.1.el7a |
| redhat/kernel-rt | <0:4.18.0-193.rt13.51.el8 | 0:4.18.0-193.rt13.51.el8 |
| redhat/kernel | <0:4.18.0-193.el8 | 0:4.18.0-193.el8 |
| ubuntu/linux | <4.15.0-69.78 | 4.15.0-69.78 |
| ubuntu/linux | <5.0.0-38.41 | 5.0.0-38.41 |
| ubuntu/linux | <5.3.0-24.26 | 5.3.0-24.26 |
| ubuntu/linux | <5.4~ | 5.4~ |
| ubuntu/linux-aws | <4.15.0-1054.56 | 4.15.0-1054.56 |
| ubuntu/linux-aws | <5.0.0-1023.26 | 5.0.0-1023.26 |
| ubuntu/linux-aws | <5.3.0-1008.9 | 5.3.0-1008.9 |
| ubuntu/linux-aws | <5.4~ | 5.4~ |
| ubuntu/linux-aws-5.0 | <5.0.0-1023.26~18.04.1 | 5.0.0-1023.26~18.04.1 |
| ubuntu/linux-aws-5.0 | <5.4~ | 5.4~ |
| ubuntu/linux-aws-hwe | <5.4~ | 5.4~ |
| ubuntu/linux-aws-hwe | <4.15.0-1054.56~16.04.1 | 4.15.0-1054.56~16.04.1 |
| ubuntu/linux-azure | <5.0.0-1027.29~18.04.1 | 5.0.0-1027.29~18.04.1 |
| ubuntu/linux-azure | <5.0.0-1027.29 | 5.0.0-1027.29 |
| ubuntu/linux-azure | <5.3.0-1008.9 | 5.3.0-1008.9 |
| ubuntu/linux-azure | <4.15.0-1063.68~14.04.1 | 4.15.0-1063.68~14.04.1 |
| ubuntu/linux-azure | <5.4~ | 5.4~ |
| ubuntu/linux-azure | <4.15.0-1063.68 | 4.15.0-1063.68 |
| ubuntu/linux-azure-5.3 | <5.3.0-1008.9~18.04.1 | 5.3.0-1008.9~18.04.1 |
| ubuntu/linux-azure-5.3 | <5.4~ | 5.4~ |
| ubuntu/linux-azure-edge | <5.4~ | 5.4~ |
| ubuntu/linux-gcp | <5.0.0-1028.29~18.04.1 | 5.0.0-1028.29~18.04.1 |
| ubuntu/linux-gcp | <5.0.0-1028.29 | 5.0.0-1028.29 |
| ubuntu/linux-gcp | <5.3.0-1009.10 | 5.3.0-1009.10 |
| ubuntu/linux-gcp | <5.4~ | 5.4~ |
| ubuntu/linux-gcp | <4.15.0-1049.52 | 4.15.0-1049.52 |
| ubuntu/linux-gcp-5.3 | <5.3.0-1009.10~18.04.1 | 5.3.0-1009.10~18.04.1 |
| ubuntu/linux-gcp-5.3 | <5.4~ | 5.4~ |
| ubuntu/linux-gcp-edge | <5.4~ | 5.4~ |
| ubuntu/linux-gke-4.15 | <4.15.0-1048.51 | 4.15.0-1048.51 |
| ubuntu/linux-gke-4.15 | <5.4~ | 5.4~ |
| ubuntu/linux-gke-5.0 | <5.0.0-1027.28~18.04.1 | 5.0.0-1027.28~18.04.1 |
| ubuntu/linux-gke-5.0 | <5.4~ | 5.4~ |
| ubuntu/linux-gke-5.3 | <5.4~ | 5.4~ |
| ubuntu/linux-hwe | <5.3.0-26.28~18.04.1 | 5.3.0-26.28~18.04.1 |
| ubuntu/linux-hwe | <5.4~ | 5.4~ |
| ubuntu/linux-hwe | <4.15.0-69.78~16.04.1 | 4.15.0-69.78~16.04.1 |
| ubuntu/linux-hwe-edge | <5.4~ | 5.4~ |
| ubuntu/linux-kvm | <4.15.0-1050.50 | 4.15.0-1050.50 |
| ubuntu/linux-kvm | <5.0.0-1024.26 | 5.0.0-1024.26 |
| ubuntu/linux-kvm | <5.3.0-1008.9 | 5.3.0-1008.9 |
| ubuntu/linux-kvm | <5.4~ | 5.4~ |
| ubuntu/linux-lts-trusty | <5.4~ | 5.4~ |
| ubuntu/linux-lts-xenial | <5.4~ | 5.4~ |
| ubuntu/linux-oem | <4.15.0-1063.72 | 4.15.0-1063.72 |
| ubuntu/linux-oem | <4.15.0-1063.72 | 4.15.0-1063.72 |
| ubuntu/linux-oem | <5.4~ | 5.4~ |
| ubuntu/linux-oem-5.6 | <5.4~ | 5.4~ |
| ubuntu/linux-oem-osp1 | <5.0.0-1033.38 | 5.0.0-1033.38 |
| ubuntu/linux-oem-osp1 | <5.0.0-1033.38 | 5.0.0-1033.38 |
| ubuntu/linux-oem-osp1 | <5.4~ | 5.4~ |
| ubuntu/linux-oracle | <4.15.0-1029.32 | 4.15.0-1029.32 |
| ubuntu/linux-oracle | <5.0.0-1009.14 | 5.0.0-1009.14 |
| ubuntu/linux-oracle | <5.3.0-1007.8 | 5.3.0-1007.8 |
| ubuntu/linux-oracle | <5.4~ | 5.4~ |
| ubuntu/linux-oracle | <4.15.0-1029.32~16.04.1 | 4.15.0-1029.32~16.04.1 |
| ubuntu/linux-oracle-5.0 | <5.0.0-1009.14~18.04.1 | 5.0.0-1009.14~18.04.1 |
| ubuntu/linux-oracle-5.0 | <5.4~ | 5.4~ |
| ubuntu/linux-oracle-5.3 | <5.4~ | 5.4~ |
| ubuntu/linux-raspi2 | <4.15.0-1050.54 | 4.15.0-1050.54 |
| ubuntu/linux-raspi2 | <5.0.0-1024.25 | 5.0.0-1024.25 |
| ubuntu/linux-raspi2 | <5.3.0-1014.16 | 5.3.0-1014.16 |
| ubuntu/linux-raspi2 | <5.4~ | 5.4~ |
| ubuntu/linux-raspi2-5.3 | <5.4~ | 5.4~ |
| ubuntu/linux-snapdragon | <4.15.0-1067.74 | 4.15.0-1067.74 |
| ubuntu/linux-snapdragon | <5.4~ | 5.4~ |
| Linux Linux kernel | <5.3.9 | |
| Oracle SD-WAN Edge | =8.2 | |
| Canonical Ubuntu Linux | =18.04 | |
| Canonical Ubuntu Linux | =19.04 | |
| Debian Debian Linux | =8.0 | |
| Netapp Active Iq Unified Manager Vmware Vsphere | ||
| Netapp Cloud Backup | ||
| Netapp Data Availability Services | ||
| NetApp E-Series SANtricity OS Controller | >=11.0<=11.70.2 | |
| Netapp Fas\/aff Baseboard Management Controller | ||
| Netapp Hci Baseboard Management Controller | =h610s | |
| Netapp Solidfire \& Hci Management Node | ||
| Netapp Steelstore Cloud Integrated Storage | ||
| Netapp Aff Baseboard Management Controller | =a700 | |
| Netapp Solidfire Baseboard Management Controller | ||
| debian/linux | 4.19.249-2 4.19.304-1 5.10.209-2 5.10.216-1 6.1.76-1 6.1.90-1 6.7.12-1 6.8.9-1 |
Remedy
Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2019-19922 https://nvd.nist.gov/vuln/detail/CVE-2019-19922
- https://bugzilla.redhat.com/show_bug.cgi?id=1792512
- https://access.redhat.com/errata/RHSA-2020:1493
- https://access.redhat.com/errata/RHSA-2020:1567
- https://access.redhat.com/errata/RHSA-2020:1769
- https://access.redhat.com/security/cve/cve-2019-19922
- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.3.9
- https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=de53fd7aedb100f03e5d2231cfce0e4993282425
- https://github.com/kubernetes/kubernetes/issues/67577
- https://github.com/torvalds/linux/commit/de53fd7aedb100f03e5d2231cfce0e4993282425
- https://relistan.com/the-kernel-may-be-slowing-down-your-app
- https://usn.ubuntu.com/4226-1/
- https://lists.debian.org/debian-lts-announce/2020/01/msg00013.html
- https://security.netapp.com/advisory/ntap-20200204-0002/
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://launchpad.net/bugs/cve/CVE-2019-19922
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1792513
- https://git.kernel.org/linus/de53fd7aedb100f03e5d2231cfce0e4993282425
- https://security-tracker.debian.org/tracker/CVE-2019-19922
- https://ubuntu.com/security/notices/USN-4226-1
- https://www.cve.org/CVERecord?id=CVE-2019-19922
- https://nvd.nist.gov/vuln/detail/CVE-2019-19922
- https://git.kernel.org/linus/512ac999d2755d2b7109e996a76b6fb8b888631d
- https://ubuntu.com/security/CVE-2019-19922
Parent vulnerabilities
(Appears in the following advisories)
- collector/redhat-cve
- agent/type
- agent/first-publish-date
- agent/last-modified-date
- collector/launchpad-cve
- source/Launchpad
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2019-19922
- agent/author
- agent/remedy
- agent/severity
- agent/weakness
- agent/description
- collector/usn-cve
- source/Ubuntu
- agent/software-canonical-lookup
- agent/references
- agent/tags
- agent/event
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-cve
- source/NVD
- package-manager/redhat
- package-manager/ubuntu
- package-manager/debian
- vendor/linux
- canonical/linux linux kernel
- vendor/oracle
- canonical/oracle sd-wan edge
- version/oracle sd-wan edge/8.2
- vendor/canonical
- canonical/canonical ubuntu linux
- version/canonical ubuntu linux/18.04
- version/canonical ubuntu linux/19.04
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/8.0
- vendor/netapp
- canonical/netapp active iq unified manager vmware vsphere
- canonical/netapp cloud backup
- canonical/netapp data availability services
- canonical/netapp e-series santricity os controller
- version/netapp e-series santricity os controller/11.0
- version/netapp e-series santricity os controller/11.70.2
- canonical/netapp fas\/aff baseboard management controller
- canonical/netapp hci baseboard management controller
- version/netapp hci baseboard management controller/h610s
- canonical/netapp solidfire \& hci management node
- canonical/netapp steelstore cloud integrated storage
- canonical/netapp aff baseboard management controller
- version/netapp aff baseboard management controller/a700
- canonical/netapp solidfire baseboard management controller