CVE-2019-5489 Information

Feb 14, 2021 cve

Description

The mincore() implementation in mm/mincore.c in the Linux kernel through 4.19.13 allowed local attackers to observe page cache access patterns of other processes on the same system potentially allowing sniffing of secret information. (Fixing this affects the output of the fincore program.) Limited remote exploitation may be possible as demonstrated by latency differences in accessing public files from an Apache HTTP Server.

CVSS Vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Reference

http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=574823bfab82d9d8fa47f422778043fbb4b4f50e http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00071.html http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00039.html http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00048.html http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20200115-01-pagecache-en http://www.securityfocus.com/bid/106478 https://access.redhat.com/errata/RHSA-2019:2029 https://access.redhat.com/errata/RHSA-2019:2043 https://access.redhat.com/errata/RHSA-2019:2473 https://access.redhat.com/errata/RHSA-2019:2808 https://access.redhat.com/errata/RHSA-2019:2809 https://access.redhat.com/errata/RHSA-2019:2837 https://access.redhat.com/errata/RHSA-2019:3309 https://access.redhat.com/errata/RHSA-2019:3517 https://access.redhat.com/errata/RHSA-2019:3967 https://access.redhat.com/errata/RHSA-2019:4056 https://access.redhat.com/errata/RHSA-2019:4057 https://access.redhat.com/errata/RHSA-2019:4058 https://access.redhat.com/errata/RHSA-2019:4159 https://access.redhat.com/errata/RHSA-2019:4164 https://access.redhat.com/errata/RHSA-2019:4255 https://access.redhat.com/errata/RHSA-2020:0204 https://arxiv.org/abs/1901.01161 https://bugzilla.suse.com/show_bug.cgi?id=1120843 https://github.com/torvalds/linux/commit/574823bfab82d9d8fa47f422778043fbb4b4f50e https://lists.debian.org/debian-lts-announce/2019/06/msg00010.html https://lists.debian.org/debian-lts-announce/2019/06/msg00011.html https://seclists.org/bugtraq/2019/Jun/26 https://security.netapp.com/advisory/ntap-20190307-0001/ https://www.debian.org/security/2019/dsa-4465 https://www.oracle.com/security-alerts/cpujul2020.html https://www.theregister.co.uk/2019/01/05/boffins_beat_page_cache/

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

NONE

Base Score

NONE

Base Severity

5.5

Share on: