CVE-2020-4788: Infoleak
First published: Wed Oct 14 2020(Updated: )
A flaw was found in the Linux kernel. IBM Power9 processors can speculatively operate on data stored in the L1 cache before it has been completely validated. The attack has limited access to memory and is only able to access memory normally permissible to the execution context. The highest threat from this vulnerability is to data confidentiality.
Credit: psirt@us.ibm.com psirt@us.ibm.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| IBM i | <=7.1 | |
| IBM i | <=7.2 | |
| IBM i | <=7.3 | |
| IBM i | <=7.4 | |
| IBM AIX | <=7.1 | |
| IBM AIX | <=7.2 | |
| IBM VIOS | <=3.1 | |
| redhat/kernel | <0:4.18.0-372.9.1.el8 | 0:4.18.0-372.9.1.el8 |
| IBM VIOS | =3.1.0 | |
| IBM VIOS | =3.1.1 | |
| IBM VIOS | =3.1.2 | |
| IBM AIX | =7.1.0 | |
| IBM AIX | =7.1.5 | |
| IBM AIX | =7.2.0 | |
| IBM AIX | =7.2.3 | |
| IBM AIX | =7.2.4 | |
| IBM AIX | =7.2.5 | |
| IBM Power9 | ||
| Fedoraproject Fedora | =32 | |
| Fedoraproject Fedora | =33 | |
| Oracle Communications Cloud Native Core Binding Support Function | =22.1.3 | |
| Oracle Communications Cloud Native Core Network Exposure Function | =22.1.1 | |
| Oracle Communications Cloud Native Core Policy | =22.2.0 | |
| IBM AIX | <=7.1 | |
| IBM AIX | <=7.2 | |
| IBM VIOS | <=3.1 | |
| All of | ||
| Any of | ||
| IBM VIOS | =3.1.0 | |
| IBM VIOS | =3.1.1 | |
| IBM VIOS | =3.1.2 | |
| IBM AIX | =7.1.0 | |
| IBM AIX | =7.1.5 | |
| IBM AIX | =7.2.0 | |
| IBM AIX | =7.2.3 | |
| IBM AIX | =7.2.4 | |
| IBM AIX | =7.2.5 | |
| IBM Power9 | ||
| debian/linux | 5.10.223-1 5.10.226-1 6.1.115-1 6.1.112-1 6.11.5-1 6.11.7-1 |
Remedy
Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.ibm.com/support/pages/node/6370729 (Advisory)
- https://www.ibm.com/support/pages/node/6370719
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4788
- https://www.whitesourcesoftware.com/vulnerability-database/CVE-2020-4788
- https://www.cve.org/CVERecord?id=CVE-2020-4788 https://nvd.nist.gov/vuln/detail/CVE-2020-4788 https://exchange.xforce.ibmcloud.com/vulnerabilities/189296 https://lore.kernel.org/linuxppc-dev/20201119231333.361771-1-dja@axtens.net/T/#me4f6a44748747e3327d27cd95200bf7a87486ffc https://www.openwall.com/lists/oss-security/2020/11/20/3
- https://bugzilla.redhat.com/show_bug.cgi?id=1888433
- https://access.redhat.com/errata/RHSA-2022:1988
- https://access.redhat.com/security/cve/cve-2020-4788
- http://www.openwall.com/lists/oss-security/2020/11/20/3
- https://exchange.xforce.ibmcloud.com/vulnerabilities/189296
- http://www.openwall.com/lists/oss-security/2020/11/23/1
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZF4OGZPKTAJJXWHPIFP3LHEWWEMR5LPT/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TITJQPYDWZ4NB2ONJWUXW75KSQIPF35T/
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://launchpad.net/bugs/cve/CVE-2020-4788
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1900437
- https://lore.kernel.org/linuxppc-dev/20201119231333.361771-1-dja@axtens.net/T/#me4f6a44748747e3327d27cd95200bf7a87486ffc
- https://www.openwall.com/lists/oss-security/2020/11/20/3
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TITJQPYDWZ4NB2ONJWUXW75KSQIPF35T/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZF4OGZPKTAJJXWHPIFP3LHEWWEMR5LPT/
- https://security-tracker.debian.org/tracker/CVE-2020-4788
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4788
- https://nvd.nist.gov/vuln/detail/CVE-2020-4788
- https://ubuntu.com/security/CVE-2020-4788
- collector/xforce-vulnerability
- alias/CVE-2020-4788
- vendor/ibm
- vendor/i
- collector/redhat-cve
- agent/type
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- collector/redhat-bugzilla
- source/Red Hat
- collector/nvd-index
- agent/software-canonical-lookup
- agent/author
- agent/weakness
- agent/remedy
- agent/description
- collector/ibm-support
- source/IBM
- collector/nvd-cve
- source/NVD
- agent/references
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/last-modified-date
- agent/tags
- agent/event
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- collector/usn-cve
- source/Ubuntu
- canonical/ibm i
- version/ibm i/7.1
- version/ibm i/7.2
- version/ibm i/7.3
- version/ibm i/7.4
- package-manager/redhat
- canonical/ibm vios
- version/ibm vios/3.1.0
- version/ibm vios/3.1.1
- version/ibm vios/3.1.2
- canonical/ibm aix
- version/ibm aix/7.1.0
- version/ibm aix/7.1.5
- version/ibm aix/7.2.0
- version/ibm aix/7.2.3
- version/ibm aix/7.2.4
- version/ibm aix/7.2.5
- canonical/ibm power9
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/32
- version/fedoraproject fedora/33
- vendor/oracle
- canonical/oracle communications cloud native core binding support function
- version/oracle communications cloud native core binding support function/22.1.3
- canonical/oracle communications cloud native core network exposure function
- version/oracle communications cloud native core network exposure function/22.1.1
- canonical/oracle communications cloud native core policy
- version/oracle communications cloud native core policy/22.2.0
- version/ibm aix/7.1
- version/ibm aix/7.2
- version/ibm vios/3.1
- package-manager/debian