Vulnerability Description
kernel/sched/fair.c in the Linux kernel before 5.3.9, when cpu.cfs_quota_us is used (e.g., with Kubernetes), allows attackers to cause a denial of service against non-cpu-bound applications by generating a workload that triggers unwanted slice expiration, aka CID-de53fd7aedb1. (In other words, although this slice expiration would typically be seen with benign workloads, it is possible that an attacker could calculate how many stray requests are required to force an entire Kubernetes cluster into a low-performance state caused by slice expiration, and ensure that a DDoS attack sent that number of stray requests. An attack does not affect the stability of the kernel; it only causes mismanagement of application execution.)
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Linux | Linux Kernel | < 5.3.9 |
| Oracle | Sd-Wan Edge | 8.2 |
| Canonical | Ubuntu Linux | 18.04 |
| Debian | Debian Linux | 8.0 |
| Netapp | Active Iq Unified Manager | - |
| Netapp | Cloud Backup | - |
| Netapp | Data Availability Services | - |
| Netapp | E-Series Santricity Os Controller | >= 11.0, <= 11.70.2 |
| Netapp | Fas\/Aff Baseboard Management Controller | - |
| Netapp | Hci Baseboard Management Controller | h610s |
| Netapp | Solidfire \& Hci Management Node | - |
| Netapp | Steelstore Cloud Integrated Storage | - |
| Netapp | Aff Baseboard Management Controller | a700 |
| Netapp | Solidfire Baseboard Management Controller | - |
Related Weaknesses (CWE)
References
- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.3.9Mailing ListPatchVendor Advisory
- https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=de53fMailing ListPatchVendor Advisory
- https://github.com/kubernetes/kubernetes/issues/67577Issue TrackingPatchThird Party Advisory
- https://github.com/torvalds/linux/commit/de53fd7aedb100f03e5d2231cfce0e499328242PatchThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2020/01/msg00013.htmlMailing ListThird Party Advisory
- https://relistan.com/the-kernel-may-be-slowing-down-your-appExploitThird Party Advisory
- https://security.netapp.com/advisory/ntap-20200204-0002/Third Party Advisory
- https://usn.ubuntu.com/4226-1/Third Party Advisory
- https://www.oracle.com/security-alerts/cpuApr2021.htmlPatchThird Party Advisory
- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.3.9Mailing ListPatchVendor Advisory
- https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=de53fMailing ListPatchVendor Advisory
- https://github.com/kubernetes/kubernetes/issues/67577Issue TrackingPatchThird Party Advisory
- https://github.com/torvalds/linux/commit/de53fd7aedb100f03e5d2231cfce0e499328242PatchThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2020/01/msg00013.htmlMailing ListThird Party Advisory
- https://relistan.com/the-kernel-may-be-slowing-down-your-appExploitThird Party Advisory
FAQ
What is CVE-2019-19922?
CVE-2019-19922 is a vulnerability with a CVSS score of 5.5 (MEDIUM). kernel/sched/fair.c in the Linux kernel before 5.3.9, when cpu.cfs_quota_us is used (e.g., with Kubernetes), allows attackers to cause a denial of service against non-cpu-bound applications by generat...
How severe is CVE-2019-19922?
CVE-2019-19922 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-19922?
Check the references section above for vendor advisories and patch information. Affected products include: Linux Linux Kernel, Oracle Sd-Wan Edge, Canonical Ubuntu Linux, Debian Debian Linux, Netapp Active Iq Unified Manager.