CVE-2019-19922
First published: Sun Dec 22 2019(Updated: )
A flaw was found in the Linux kernel’s scheduler, where it can allow attackers to cause a denial of service against non-CPU-bound applications by generating a workload that triggers unwanted scheduling slice expiration. A local attacker who can trigger a specific workload type could abuse this technique to trigger a system to be seen as degraded, and possibly trigger workload-rebalance in systems that use the slice-expiration metric as a measure of system health.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/kernel-alt | <0:4.14.0-115.19.1.el7a | 0:4.14.0-115.19.1.el7a |
| redhat/kernel-rt | <0:4.18.0-193.rt13.51.el8 | 0:4.18.0-193.rt13.51.el8 |
| redhat/kernel | <0:4.18.0-193.el8 | 0:4.18.0-193.el8 |
| Linux Kernel | <5.3.9 | |
| Oracle SD-WAN Edge | =8.2 | |
| Ubuntu | =18.04 | |
| Ubuntu | =19.04 | |
| Debian | =8.0 | |
| NetApp Active IQ Unified Manager for VMware vSphere | ||
| NetApp Cloud Backup | ||
| NetApp Data Availability Services | ||
| NetApp E-Series SANtricity OS Controller | >=11.0<=11.70.2 | |
| NetApp FAS/AFF Baseboard Management Controller | ||
| NetApp HCI Baseboard Management Controller | =h610s | |
| NetApp SolidFire & HCI Management Node | ||
| NetApp SteelStore Cloud Integrated Storage | ||
| NetApp FAS/AFF Baseboard Management Controller | =a700 | |
| NetApp SolidFire | ||
| debian/linux | 5.10.223-1 5.10.234-1 6.1.123-1 6.1.128-1 6.12.12-1 6.12.17-1 |
Remedy
Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2019-19922 https://nvd.nist.gov/vuln/detail/CVE-2019-19922
- https://bugzilla.redhat.com/show_bug.cgi?id=1792512
- https://access.redhat.com/errata/RHSA-2020:1493
- https://access.redhat.com/errata/RHSA-2020:1567
- https://access.redhat.com/errata/RHSA-2020:1769
- https://access.redhat.com/security/cve/cve-2019-19922
- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.3.9
- https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=de53fd7aedb100f03e5d2231cfce0e4993282425
- https://github.com/kubernetes/kubernetes/issues/67577
- https://github.com/torvalds/linux/commit/de53fd7aedb100f03e5d2231cfce0e4993282425
- https://relistan.com/the-kernel-may-be-slowing-down-your-app
- https://usn.ubuntu.com/4226-1/
- https://lists.debian.org/debian-lts-announce/2020/01/msg00013.html
- https://security.netapp.com/advisory/ntap-20200204-0002/
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://launchpad.net/bugs/cve/CVE-2019-19922
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1792513
- https://git.kernel.org/linus/de53fd7aedb100f03e5d2231cfce0e4993282425
- https://security-tracker.debian.org/tracker/CVE-2019-19922
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19922
- https://nvd.nist.gov/vuln/detail/CVE-2019-19922
- https://ubuntu.com/security/CVE-2019-19922
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is the severity of CVE-2019-19922?
CVE-2019-19922 has a severity rating of medium, as it can cause a denial of service for non-CPU-bound applications.
How do I fix CVE-2019-19922?
To fix CVE-2019-19922, upgrade to the patched versions of the affected Linux kernel packages as specified by your distribution.
Which Linux distributions are affected by CVE-2019-19922?
CVE-2019-19922 affects several Linux distributions, including Red Hat, Debian, Oracle Linux, and Ubuntu.
Can CVE-2019-19922 be exploited remotely?
CVE-2019-19922 cannot be exploited remotely; it requires local access to the system to execute the specific workload.
What types of applications are impacted by CVE-2019-19922?
CVE-2019-19922 specifically impacts non-CPU-bound applications that can be disrupted by the workload triggering unwanted scheduling slice expiration.
- collector/redhat-cve
- agent/type
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2019-19922
- agent/severity
- agent/weakness
- collector/mitre-cve
- source/MITRE
- agent/remedy
- agent/references
- agent/last-modified-date
- agent/trending
- agent/source
- agent/author
- collector/usn-cve
- source/Ubuntu
- agent/description
- agent/event
- collector/security-tracker-debian
- source/Debian
- agent/software-canonical-lookup
- agent/tags
- agent/softwarecombine
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-index
- package-manager/redhat
- package-manager/debian
- vendor/linux
- canonical/linux kernel
- vendor/oracle
- canonical/oracle sd-wan edge
- version/oracle sd-wan edge/8.2
- vendor/canonical
- canonical/ubuntu
- version/ubuntu/18.04
- version/ubuntu/19.04
- vendor/debian
- canonical/debian
- version/debian/8.0
- vendor/netapp
- canonical/netapp active iq unified manager for vmware vsphere
- canonical/netapp cloud backup
- canonical/netapp data availability services
- canonical/netapp e-series santricity os controller
- version/netapp e-series santricity os controller/11.0
- version/netapp e-series santricity os controller/11.70.2
- canonical/netapp fas/aff baseboard management controller
- canonical/netapp hci baseboard management controller
- version/netapp hci baseboard management controller/h610s
- canonical/netapp solidfire & hci management node
- canonical/netapp steelstore cloud integrated storage
- version/netapp fas/aff baseboard management controller/a700
- canonical/netapp solidfire