Vulnerability Details : CVE-2019-15902
Potential exploit
A backporting error was discovered in the Linux stable/longterm kernel 4.4.x through 4.4.190, 4.9.x through 4.9.190, 4.14.x through 4.14.141, 4.19.x through 4.19.69, and 5.2.x through 5.2.11. Misuse of the upstream "x86/ptrace: Fix possible spectre-v1 in ptrace_get_debugreg()" commit reintroduced the Spectre vulnerability that it aimed to eliminate. This occurred because the backport process depends on cherry picking specific commits, and because two (correctly ordered) code lines were swapped.
Vulnerability category: Information leak
Products affected by CVE-2019-15902
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:active_iq_performance_analytics_services:-:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:service_processor:-:*:*:*:*:*:*:*
- cpe:2.3:o:netapp:baseboard_management_controller_firmware:-:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-15902
0.09%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 22 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-15902
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
4.7
|
MEDIUM | AV:L/AC:M/Au:N/C:C/I:N/A:N |
3.4
|
6.9
|
NIST | |
|
5.6
|
MEDIUM | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N |
1.1
|
4.0
|
NIST |
CWE ids for CVE-2019-15902
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-15902
-
https://usn.ubuntu.com/4163-2/
USN-4163-2: Linux kernel (Xenial HWE) vulnerabilities | Ubuntu security notices
-
https://lists.debian.org/debian-lts-announce/2019/10/msg00000.html
[SECURITY] [DLA 1940-1] linux-4.9 security updateThird Party Advisory
-
https://usn.ubuntu.com/4162-2/
USN-4162-2: Linux kernel (Azure) vulnerabilities | Ubuntu security notices
-
https://security.netapp.com/advisory/ntap-20191004-0001/
September 2019 Linux Kernel Vulnerabilities in NetApp Products | NetApp Product SecurityThird Party Advisory
-
https://usn.ubuntu.com/4163-1/
USN-4163-1: Linux kernel vulnerabilities | Ubuntu security notices
-
https://usn.ubuntu.com/4157-1/
USN-4157-1: Linux kernel vulnerabilities | Ubuntu security notices
-
https://usn.ubuntu.com/4162-1/
USN-4162-1: Linux kernel vulnerabilities | Ubuntu security notices
-
https://grsecurity.net/teardown_of_a_failed_linux_lts_spectre_fix.php
grsecurity - Teardown of a Failed Linux LTS Spectre FixExploit;Patch;Third Party Advisory
-
https://seclists.org/bugtraq/2019/Sep/41
Bugtraq: [SECURITY] [DSA 4531-1] linux security updateMailing List;Third Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00064.html
[security-announce] openSUSE-SU-2019:2173-1: important: Security updateThird Party Advisory
-
https://usn.ubuntu.com/4157-2/
USN-4157-2: Linux kernel (HWE) vulnerabilities | Ubuntu security notices
-
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00066.html
[security-announce] openSUSE-SU-2019:2181-1: important: Security updateThird Party Advisory
-
https://www.debian.org/security/2019/dsa-4531
Debian -- Security Information -- DSA-4531-1 linuxThird Party Advisory
Jump to