CVE-2019-5489

LOW

Description

The mincore() implementation in mm/mincore.c in the Linux kernel through 4.19.13 allowed local attackers to observe page cache access patterns of other processes on the same system, potentially allowing sniffing of secret information. (Fixing this affects the output of the fincore program.) Limited remote exploitation may be possible, as demonstrated by latency differences in accessing public files from an Apache HTTP Server.

References

http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=574823bfab82d9d8fa47f422778043fbb4b4f50e

http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00071.html

http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00039.html

http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00048.html

http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20200115-01-pagecache-en

http://www.securityfocus.com/bid/106478

https://access.redhat.com/errata/RHSA-2019:2029

https://access.redhat.com/errata/RHSA-2019:2043

https://access.redhat.com/errata/RHSA-2019:2473

https://access.redhat.com/errata/RHSA-2019:2808

https://access.redhat.com/errata/RHSA-2019:2809

https://access.redhat.com/errata/RHSA-2019:2837

https://access.redhat.com/errata/RHSA-2019:3309

https://access.redhat.com/errata/RHSA-2019:3517

https://access.redhat.com/errata/RHSA-2019:3967

https://access.redhat.com/errata/RHSA-2019:4056

https://access.redhat.com/errata/RHSA-2019:4057

https://access.redhat.com/errata/RHSA-2019:4058

https://access.redhat.com/errata/RHSA-2019:4159

https://access.redhat.com/errata/RHSA-2019:4164

https://access.redhat.com/errata/RHSA-2019:4255

https://access.redhat.com/errata/RHSA-2020:0204

https://arxiv.org/abs/1901.01161

https://bugzilla.suse.com/show_bug.cgi?id=1120843

https://github.com/torvalds/linux/commit/574823bfab82d9d8fa47f422778043fbb4b4f50e

https://lists.debian.org/debian-lts-announce/2019/06/msg00010.html

https://lists.debian.org/debian-lts-announce/2019/06/msg00011.html

https://seclists.org/bugtraq/2019/Jun/26

https://security.netapp.com/advisory/ntap-20190307-0001/

https://www.debian.org/security/2019/dsa-4465

https://www.oracle.com/security-alerts/cpujul2020.html

https://www.theregister.co.uk/2019/01/05/boffins_beat_page_cache/

Details

Source: MITRE

Published: 2019-01-07

Updated: 2020-08-24

Type: CWE-319

Risk Information

CVSS v2.0

Base Score: 2.1

Vector: AV:L/AC:L/Au:N/C:P/I:N/A:N

Impact Score: 2.9

Exploitability Score: 3.9

Severity: LOW

CVSS v3.0

Base Score: 5.5

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Impact Score: 3.6

Exploitability Score: 1.8

Severity: MEDIUM