Resource Exhaustion Affecting perf package, versions <0:4.18.0-193.el8
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-RHEL8-PERF-3756973
- published 26 Jul 2021
- disclosed 22 Dec 2019
Introduced: 22 Dec 2019
CVE-2019-19922 Open this link in a new tabHow to fix?
Upgrade RHEL:8
perf
to version 0:4.18.0-193.el8 or higher.
This issue was patched in RHSA-2020:1769
.
NVD Description
Note: Versions mentioned in the description apply only to the upstream perf
package and not the perf
package as distributed by RHEL
.
See How to fix?
for RHEL:8
relevant fixed versions and status.
kernel/sched/fair.c in the Linux kernel before 5.3.9, when cpu.cfs_quota_us is used (e.g., with Kubernetes), allows attackers to cause a denial of service against non-cpu-bound applications by generating a workload that triggers unwanted slice expiration, aka CID-de53fd7aedb1. (In other words, although this slice expiration would typically be seen with benign workloads, it is possible that an attacker could calculate how many stray requests are required to force an entire Kubernetes cluster into a low-performance state caused by slice expiration, and ensure that a DDoS attack sent that number of stray requests. An attack does not affect the stability of the kernel; it only causes mismanagement of application execution.)
References
- https://security.netapp.com/advisory/ntap-20200204-0002/
- https://access.redhat.com/security/cve/CVE-2019-19922
- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.3.9
- https://github.com/kubernetes/kubernetes/issues/67577
- https://github.com/torvalds/linux/commit/de53fd7aedb100f03e5d2231cfce0e4993282425
- https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=de53fd7aedb100f03e5d2231cfce0e4993282425
- https://relistan.com/the-kernel-may-be-slowing-down-your-app
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://lists.debian.org/debian-lts-announce/2020/01/msg00013.html
- https://access.redhat.com/errata/RHSA-2020:1769
- https://usn.ubuntu.com/4226-1/