CVE-2019-19922
MEDIUMLinux Kernel < 5.3.9 - Denial of Service via Slice Expiration in CFS Quota
Title source: llmDescription
kernel/sched/fair.c in the Linux kernel before 5.3.9, when cpu.cfs_quota_us is used (e.g., with Kubernetes), allows attackers to cause a denial of service against non-cpu-bound applications by generating a workload that triggers unwanted slice expiration, aka CID-de53fd7aedb1. (In other words, although this slice expiration would typically be seen with benign workloads, it is possible that an attacker could calculate how many stray requests are required to force an entire Kubernetes cluster into a low-performance state caused by slice expiration, and ensure that a DDoS attack sent that number of stray requests. An attack does not affect the stability of the kernel; it only causes mismanagement of application execution.)
References (9)
Core 9
Core References
Third Party Advisory vendor-advisory
x_refsource_ubuntu
https://usn.ubuntu.com/4226-1/
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2020/01/msg00013.html
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuApr2021.html
Mailing List, Patch, Vendor Advisory x_refsource_misc
https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.3.9
Patch, Third Party Advisory x_refsource_misc
https://github.com/torvalds/linux/commit/de53fd7aedb100f03e5d2231cfce0e4993282425
Mailing List, Patch, Vendor Advisory x_refsource_misc
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=de53fd7aedb100f03e5d2231cfce0e4993282425
Exploit, Third Party Advisory x_refsource_misc
https://relistan.com/the-kernel-may-be-slowing-down-your-app
Issue Tracking, Patch, Third Party Advisory x_refsource_misc
https://github.com/kubernetes/kubernetes/issues/67577
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20200204-0002/
Scores
CVSS v3
5.5
EPSS
0.0011
EPSS Percentile
28.1%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Details
CWE
CWE-400
Status
published
Products (15)
canonical/ubuntu_linux
18.04
canonical/ubuntu_linux
19.04
debian/debian_linux
8.0
linux/linux_kernel
< 5.3.9
netapp/active_iq_unified_manager
netapp/aff_baseboard_management_controller
a700
netapp/cloud_backup
netapp/data_availability_services
netapp/e-series_santricity_os_controller
11.0 - 11.70.2
netapp/fas\/aff_baseboard_management_controller
... and 5 more
Published
Dec 22, 2019
Tracked Since
Feb 18, 2026