CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:L/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
AI Score
Confidence
High
EPSS
Percentile
35.1%
An information disclosure vulnerability exists when certain central
processing units (CPU) speculatively access memory. An attacker who
successfully exploited the vulnerability could read privileged data across
trust boundaries. To exploit this vulnerability, an attacker would have to
log on to an affected system and run a specially crafted application. The
vulnerability would not allow an attacker to elevate user rights directly,
but it could be used to obtain information that could be used to try to
compromise the affected system further. On January 3, 2018, Microsoft
released an advisory and security updates related to a newly-discovered
class of hardware vulnerabilities (known as Spectre) involving speculative
execution side channels that affect AMD, ARM, and Intel CPUs to varying
degrees. This vulnerability, released on August 6, 2019, is a variant of
the Spectre Variant 1 speculative execution side channel vulnerability and
has been assigned CVE-2019-1125. Microsoft released a security update on
July 9, 2019 that addresses the vulnerability through a software change
that mitigates how the CPU speculatively accesses memory. Note that this
vulnerability does not require a microcode update from your device OEM.
Author | Note |
---|---|
tyhicks | This issue is not believed to be exploitable in the Linux kernel but kernel updates will be made available to ensure that it cannot be exploited Kernel updates will soon be available for testing in the Proposed pocket and they are expected to be officially released on August 12th See the following page if you’d like to test the patched kernels from the Proposed pocket: https://wiki.ubuntu.com/Testing/EnableProposed |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | linux | < 4.15.0-58.64 | UNKNOWN |
ubuntu | 19.04 | noarch | linux | < 5.0.0-25.26 | UNKNOWN |
ubuntu | 16.04 | noarch | linux | < 4.4.0-159.187 | UNKNOWN |
ubuntu | 18.04 | noarch | linux-aws | < 4.15.0-1045.47 | UNKNOWN |
ubuntu | 19.04 | noarch | linux-aws | < 5.0.0-1012.13 | UNKNOWN |
ubuntu | 14.04 | noarch | linux-aws | < 4.4.0-1054.58 | UNKNOWN |
ubuntu | 16.04 | noarch | linux-aws | < 4.4.0-1090.101 | UNKNOWN |
ubuntu | 16.04 | noarch | linux-aws-hwe | < 4.15.0-1045.47~16.04.1 | UNKNOWN |
ubuntu | 18.04 | noarch | linux-azure | < 5.0.0-1014.14~18.04.1 | UNKNOWN |
ubuntu | 19.04 | noarch | linux-azure | < 5.0.0-1014.14 | UNKNOWN |
launchpad.net/bugs/cve/CVE-2019-1125
nvd.nist.gov/vuln/detail/CVE-2019-1125
security-tracker.debian.org/tracker/CVE-2019-1125
ubuntu.com/security/notices/USN-4093-1
ubuntu.com/security/notices/USN-4094-1
ubuntu.com/security/notices/USN-4095-1
ubuntu.com/security/notices/USN-4095-2
ubuntu.com/security/notices/USN-4096-1
www.bitdefender.com/business/swapgs-attack.html
www.cve.org/CVERecord?id=CVE-2019-1125
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:L/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
AI Score
Confidence
High
EPSS
Percentile
35.1%