CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:L/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
10.1%
The mincore() implementation in mm/mincore.c in the Linux kernel through
4.19.13 allowed local attackers to observe page cache access patterns of
other processes on the same system, potentially allowing sniffing of secret
information. (Fixing this affects the output of the fincore program.)
Limited remote exploitation may be possible, as demonstrated by latency
differences in accessing public files from an Apache HTTP Server.
Author | Note |
---|---|
tyhicks | On 2018-01-06, a potential fix for this issue was committed in the upstream kernel git tree. The potential fix changes the behavior of the mincore(2) system call in ways that could possibly break userspace applications. The potential fix landed during the kernelโs โmerge windowโ which allows for the change to mature and receive additional testing. Applying the potential fix to Ubuntu kernels, at this time, could potentially break some existing applications. Ubuntu will continue to monitor related changes in the upstream kernel and evaluate/test the potential fix. |
sbeattie | v1 fix was reverted. v2 of fix is now 134fca9063ad4851de767d1768180e5dede9a881 |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | linux | <ย 4.15.0-60.67 | UNKNOWN |
ubuntu | 19.04 | noarch | linux | <ย 5.0.0-25.26 | UNKNOWN |
ubuntu | 16.04 | noarch | linux | <ย 4.4.0-157.185 | UNKNOWN |
ubuntu | 18.04 | noarch | linux-aws | <ย 4.15.0-1047.49 | UNKNOWN |
ubuntu | 16.04 | noarch | linux-aws | <ย 4.4.0-1090.101 | UNKNOWN |
ubuntu | 16.04 | noarch | linux-aws-hwe | <ย 4.15.0-1047.49~16.04.1 | UNKNOWN |
ubuntu | 18.04 | noarch | linux-azure | <ย 5.0.0-1014.14~18.04.1 | UNKNOWN |
ubuntu | 19.04 | noarch | linux-azure | <ย 5.0.0-1014.14 | UNKNOWN |
ubuntu | 16.04 | noarch | linux-azure | <ย 4.15.0-1056.61 | UNKNOWN |
ubuntu | 18.04 | noarch | linux-azure-edge | <ย 5.0.0-1014.14~18.04.1 | UNKNOWN |
arxiv.org/pdf/1901.01161.pdf
launchpad.net/bugs/cve/CVE-2019-5489
lore.kernel.org/lkml/CAHk-=wg+C65FJHB=Jx1OvuJP4kvpWdw+5G=XOXB6X_KB2XuofA@mail.gmail.com/#t
lore.kernel.org/lkml/CAHk-=wiqbKEC5jUXr3ax+oUuiRrp=QMv_ZnUfO-SPv=UNJ-OTw@mail.gmail.com/
lore.kernel.org/lkml/[email protected]/
nvd.nist.gov/vuln/detail/CVE-2019-5489
security-tracker.debian.org/tracker/CVE-2019-5489
www.cve.org/CVERecord?id=CVE-2019-5489
www.openwall.com/lists/oss-security/2019/01/07/2
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:L/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
10.1%