Risk | Low |
Patch available | YES |
Number of vulnerabilities | 3 |
CVE-ID | CVE-2019-0117 CVE-2019-11135 CVE-2019-11139 |
CWE-ID | CWE-284 CWE-399 |
Exploitation vector | Local |
Public exploit |
Public exploit code for vulnerability #1 is available. Public exploit code for vulnerability #2 is available. |
Vulnerable software Subscribe |
Red Hat Enterprise Linux for x86_64 - Extended Update Support Operating systems & Components / Operating system Red Hat Enterprise Linux for x86_64 Operating systems & Components / Operating system Red Hat Enterprise Linux Server for x86_64 - Update Services for SAP Solutions Operating systems & Components / Operating system package or component microcode_ctl (Red Hat package) Operating systems & Components / Operating system package or component |
Vendor | Red Hat Inc. |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
EUVDB-ID: #VU22781
Risk: Low
CVSSv3.1: 5.4 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N/E:P/RL:O/RC:C]
CVE-ID: CVE-2019-0117
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a local user to gain access to sensitive information.
The vulnerability exists due to improper access restrictions in protected memory subsystem for Intel(R) SGX for 6th, 7th, 8th, 9th Generation Intel(R) Core(TM) Processor Families; Intel(R) Xeon(R) Processor E3-1500 v5, v6 Families; Intel(R) Xeon(R) E-2100 & E-2200 Processor Families with Intel(R) Processor Graphics. A local user can gain access to sensitive information.
The following processor families are affected:
Install updates from vendor's website.
Red Hat Enterprise Linux for x86_64 - Extended Update Support: 8.1
Red Hat Enterprise Linux Server for x86_64 - Update Services for SAP Solutions: 8.1
Red Hat Enterprise Linux for x86_64: 8.0
microcode_ctl (Red Hat package): before 20190618-1.20191112.1.el8_1
External linkshttp://access.redhat.com/errata/RHEA-2019:3845
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
EUVDB-ID: #VU22704
Risk: Low
CVSSv3.1: 5.1 [CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N/E:P/RL:O/RC:C]
CVE-ID: CVE-2019-11135
CWE-ID:
CWE-399 - Resource Management Errors
Exploit availability: No
DescriptionThe vulnerability allows a local user to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition within the TSX Asynchronous Abort (TAA) in Intel CPUs. The TAA condition, on some microprocessors utilizing speculative execution, may allow an authenticated user to potentially enable information disclosure via a side channel. MitigationInstall updates from vendor's website.
Red Hat Enterprise Linux for x86_64 - Extended Update Support: 8.1
Red Hat Enterprise Linux Server for x86_64 - Update Services for SAP Solutions: 8.1
Red Hat Enterprise Linux for x86_64: 8.0
microcode_ctl (Red Hat package): before 20190618-1.20191112.1.el8_1
External linkshttp://access.redhat.com/errata/RHEA-2019:3845
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
EUVDB-ID: #VU22782
Risk: Low
CVSSv3.1: 5.7 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-11139
CWE-ID:
CWE-399 - Resource Management Errors
Exploit availability: No
DescriptionThe vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper conditions check in the voltage modulation interface for some Intel(R) Xeon(R) Scalable Processors. A local user can perform a denial of service attack.
The following Intel Xeon Scalable Processors are affected:
Install updates from vendor's website.
Red Hat Enterprise Linux for x86_64 - Extended Update Support: 8.1
Red Hat Enterprise Linux Server for x86_64 - Update Services for SAP Solutions: 8.1
Red Hat Enterprise Linux for x86_64: 8.0
microcode_ctl (Red Hat package): before 20190618-1.20191112.1.el8_1
External linkshttp://access.redhat.com/errata/RHEA-2019:3845
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.