CVE-2019-15902 — MEDIUM (5.6)

Q: How severe is CVE-2019-15902?

CVE-2019-15902 has been rated MEDIUM with a CVSS base score of 5.6/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2019-15902?

Check the references section above for vendor advisories and patch information. Affected products include: Linux Linux Kernel, Netapp Active Iq Performance Analytics Services, Netapp Service Processor, Debian Debian Linux, Opensuse Leap.

Vulnerability Description

A backporting error was discovered in the Linux stable/longterm kernel 4.4.x through 4.4.190, 4.9.x through 4.9.190, 4.14.x through 4.14.141, 4.19.x through 4.19.69, and 5.2.x through 5.2.11. Misuse of the upstream "x86/ptrace: Fix possible spectre-v1 in ptrace_get_debugreg()" commit reintroduced the Spectre vulnerability that it aimed to eliminate. This occurred because the backport process depends on cherry picking specific commits, and because two (correctly ordered) code lines were swapped.

CVSS Score

5.6

MEDIUM

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Linux	Linux Kernel	>= 4.4, <= 4.4.190
Netapp	Active Iq Performance Analytics Services	-
Netapp	Service Processor	-
Debian	Debian Linux	8.0
Opensuse	Leap	15.0
Netapp	Baseboard Management Controller Firmware	-
Netapp	Baseboard Management Controller	-

Related Weaknesses (CWE)

CWE-200

References

http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00064.htmlThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00066.htmlThird Party Advisory
https://grsecurity.net/teardown_of_a_failed_linux_lts_spectre_fix.phpExploitPatchThird Party Advisory
https://lists.debian.org/debian-lts-announce/2019/10/msg00000.htmlThird Party Advisory
https://seclists.org/bugtraq/2019/Sep/41Mailing ListThird Party Advisory
https://security.netapp.com/advisory/ntap-20191004-0001/Third Party Advisory
https://usn.ubuntu.com/4157-1/
https://usn.ubuntu.com/4157-2/
https://usn.ubuntu.com/4162-1/
https://usn.ubuntu.com/4162-2/
https://usn.ubuntu.com/4163-1/
https://usn.ubuntu.com/4163-2/
https://www.debian.org/security/2019/dsa-4531Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00064.htmlThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00066.htmlThird Party Advisory

FAQ

What is CVE-2019-15902?

CVE-2019-15902 is a vulnerability with a CVSS score of 5.6 (MEDIUM). A backporting error was discovered in the Linux stable/longterm kernel 4.4.x through 4.4.190, 4.9.x through 4.9.190, 4.14.x through 4.14.141, 4.19.x through 4.19.69, and 5.2.x through 5.2.11. Misuse o...

How severe is CVE-2019-15902?

CVE-2019-15902 has been rated MEDIUM with a CVSS base score of 5.6/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2019-15902?

Check the references section above for vendor advisories and patch information. Affected products include: Linux Linux Kernel, Netapp Active Iq Performance Analytics Services, Netapp Service Processor, Debian Debian Linux, Opensuse Leap.