Bugzilla – Bug 1159717
VUL-1: CVE-2019-19922: kernel-source: when cpu.cfs_quota_us is used allows attackers to cause a denial of service against non-cpu-bound applications
Last modified: 2024-06-25 14:13:16 UTC
CVE-2019-19922 kernel/sched/fair.c in the Linux kernel before 5.3.9, when cpu.cfs_quota_us is used (e.g., with Kubernetes), allows attackers to cause a denial of service against non-cpu-bound applications by generating a workload that triggers unwanted slice expiration, aka CID-de53fd7aedb1. (In other words, although this slice expiration would typically be seen with benign workloads, it is possible that an attacker could calculate how many stray requests are required to force an entire Kubernetes cluster into a low-performance state caused by slice expiration, and ensure that a DDoS attack sent that number of stray requests. An attack does not affect the stability of the kernel; it only causes mismanagement of application execution.) References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-19922 https://github.com/torvalds/linux/commit/de53fd7aedb100f03e5d2231cfce0e4993282425 https://github.com/kubernetes/kubernetes/issues/67577 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19922 https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=de53fd7aedb100f03e5d2231cfce0e4993282425 https://relistan.com/the-kernel-may-be-slowing-down-your-app https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.3.9
4.18+, so only SLES 15 SP2 and TW.
The fix was already backported in SLE15-SP2. TW will move to 5.4.y now, so all fixed now. I'll update the patch reference. Reassigned back to security team.
Closing