Vulnerability Name:

CVE-2019-14898 (CCN-175727)

Assigned:2019-11-20
Published:2019-11-20
Updated:2023-02-12
Summary:The fix for CVE-2019-11599, affecting the Linux kernel before 5.0.10 was not complete. A local user could use this flaw to obtain sensitive information, cause a denial of service, or possibly have other unspecified impacts by triggering a race condition with mmget_not_zero or get_task_mm calls.
CVSS v3 Severity:7.0 High (CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)
6.1 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): High
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
6.1 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H)
5.3 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): None
Availibility (A): High
7.0 High (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)
6.1 Medium (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): High
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
CVSS v2 Severity:6.9 Medium (CVSS v2 Vector: AV:L/AC:M/Au:N/C:C/I:C/A:C)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
5.2 Medium (CCN CVSS v2 Vector: AV:L/AC:L/Au:S/C:P/I:N/A:C)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): Complete
Vulnerability Type:CWE-667
Vulnerability Consequences:Denial of Service
References:Source: MITRE
Type: CNA
CVE-2019-14898

Source: CCN
Type: Red Hat Web site
CVE-2019-14898

Source: secalert@redhat.com
Type: Exploit, Mailing List, Patch, Third Party Advisory
secalert@redhat.com

Source: CCN
Type: Red Hat Bugzilla – Bug 1774671
CVE-2019-14898 kernel: incomplete fix for race condition between mmget_not_zero()/get_task_mm() and core dumping in CVE-2019-11599

Source: secalert@redhat.com
Type: Issue Tracking, Third Party Advisory
secalert@redhat.com

Source: secalert@redhat.com
Type: Mailing List, Vendor Advisory
secalert@redhat.com

Source: secalert@redhat.com
Type: Mailing List, Vendor Advisory
secalert@redhat.com

Source: secalert@redhat.com
Type: Mailing List, Vendor Advisory
secalert@redhat.com

Source: XF
Type: UNKNOWN
linux-kernel-cve201914898-dos(175727)

Source: secalert@redhat.com
Type: UNKNOWN
secalert@redhat.com

Source: CCN
Type: IBM Security Bulletin 3177579 (Spectrum Protect Plus)
Multiple vulnerabilities in Linux Kernel affect IBM Spectrum Protect Plus

Source: CCN
Type: IBM Security Bulletin 6220128 (Security Guardium)
IBM Security Guardium is affected by a kernel vulnerability

Source: CCN
Type: IBM Security Bulletin 6243446 (Data Risk Manager)
IBM Data Risk Manager is affected by multiple vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6335281 (Data Risk Manager)
IBM Data Risk Manager is affected by multiple vulnerabilities

Source: CCN
Type: Linux Kernel Web site
The Linux Kernel Archives

Source: secalert@redhat.com
Type: UNKNOWN
secalert@redhat.com

Vulnerable Configuration:Configuration RedHat 1:
  • cpe:/a:redhat:enterprise_linux:8:*:*:*:*:*:*:*
    • Configuration RedHat 2:
  • cpe:/a:redhat:enterprise_linux:8::nfv:*:*:*:*:*
    • Configuration RedHat 3:
  • cpe:/a:redhat:enterprise_linux:8::realtime:*:*:*:*:*
    • Configuration RedHat 4:
  • cpe:/a:redhat:enterprise_linux:8::crb:*:*:*:*:*
    • Configuration RedHat 5:
  • cpe:/o:redhat:enterprise_linux:8:*:*:*:*:*:*:*
    • Configuration RedHat 6:
  • cpe:/o:redhat:enterprise_linux:8::baseos:*:*:*:*:*
    • Configuration RedHat 7:
  • cpe:/o:redhat:enterprise_linux:7:*:*:*:*:*:*:*
    • Configuration RedHat 8:
  • cpe:/o:redhat:enterprise_linux:7::client:*:*:*:*:*
    • Configuration RedHat 9:
  • cpe:/o:redhat:enterprise_linux:7::computenode:*:*:*:*:*
    • Configuration RedHat 10:
  • cpe:/o:redhat:enterprise_linux:7::server:*:*:*:*:*
    • Configuration RedHat 11:
  • cpe:/o:redhat:enterprise_linux:7::workstation:*:*:*:*:*
    • Configuration RedHat 12:
  • cpe:/a:redhat:rhel_extras_rt:7:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/o:linux:linux_kernel:*:*:*:*:*:*:*:*
  • AND
  • cpe:/a:ibm:spectrum_protect_plus:10.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:spectrum_protect_plus:10.1.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_guardium:11.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_guardium:11.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:data_risk_manager:2.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:data_risk_manager:2.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:data_risk_manager:2.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:data_risk_manager:2.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:data_risk_manager:2.0.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:data_risk_manager:2.0.6:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:data_risk_manager:2.0.6.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:data_risk_manager:2.0.6.2:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:com.redhat.rhsa:def:20200375
    P
    		RHSA-2020:0375: kernel-rt security and bug fix update (Important)
    2020-02-04
    oval:com.redhat.rhsa:def:20200328
    P
    		RHSA-2020:0328: kernel-rt security and bug fix update (Important)
    2020-02-04
    oval:com.redhat.rhsa:def:20200339
    P
    		RHSA-2020:0339: kernel security and bug fix update (Important)
    2020-02-04
    oval:com.redhat.rhsa:def:20200374
    P
    		RHSA-2020:0374: kernel security and bug fix update (Important)
    2020-02-04
    oval:com.ubuntu.disco:def:2019148980000000
    V
    		CVE-2019-14898 on Ubuntu 19.04 (disco) - medium.
    2019-11-26
    oval:com.ubuntu.bionic:def:2019148980000000
    V
    		CVE-2019-14898 on Ubuntu 18.04 LTS (bionic) - medium.
    2019-11-26
    oval:com.ubuntu.xenial:def:2019148980000000
    V
    		CVE-2019-14898 on Ubuntu 16.04 LTS (xenial) - medium.
    2019-11-26
    BACK
    linux linux kernel *
    ibm spectrum protect plus 10.1.0
    ibm spectrum protect plus 10.1.5
    ibm security guardium 11.0
    ibm security guardium 11.1
    ibm data risk manager 2.0.1
    ibm data risk manager 2.0.2
    ibm data risk manager 2.0.3
    ibm data risk manager 2.0.4
    ibm data risk manager 2.0.5
    ibm data risk manager 2.0.6
    ibm data risk manager 2.0.6.1
    ibm data risk manager 2.0.6.2