Risk | Low |
Patch available | YES |
Number of vulnerabilities | 4 |
CVE-ID | CVE-2018-12207 CVE-2018-20126 CVE-2019-11135 CVE-2019-12068 |
CWE-ID | CWE-119 CWE-401 CWE-399 CWE-835 |
Exploitation vector | Local network |
Public exploit | Public exploit code for vulnerability #3 is available. |
Vulnerable software Subscribe |
Opensuse Operating systems & Components / Operating system |
Vendor | SUSE |
Security Bulletin
This security bulletin contains information about 4 vulnerabilities.
EUVDB-ID: #VU22712
Risk: Low
CVSSv3.1: 4.2 [CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-12207
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a local user to perform denial of service (DoS) attack.
The vulnerability exists due to a boundary error in the mechanism responsible for error handling on some Intel platforms. A local user of a guest operating system can use a specially crafted application to trigger memory corruption and cause the host system to stop responding.
Successful exploitation of this vulnerability may result in a denial of service (DoS) attack.
Below is the list of processor families that are affected by this vulnerability:
Client:
Server:
Update the affected packages.
Opensuse: 15.0
External linkshttp://lists.opensuse.org/opensuse-security-announce/2019-11/msg00038.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU16684
Risk: Low
CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-20126
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to cause DoS condition on the target system.
The vulnerability exists due to memory leakage issue in hw/rdma/vmw/pvrdma_cmd.c when errors are mishandled. A local attacker can create_cq and create_qp memory leaks, resulting in DoS.
MitigationUpdate the affected packages.
Opensuse: 15.0
External linkshttp://lists.opensuse.org/opensuse-security-announce/2019-11/msg00038.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU22704
Risk: Low
CVSSv3.1: 5.1 [CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N/E:P/RL:O/RC:C]
CVE-ID: CVE-2019-11135
CWE-ID:
CWE-399 - Resource Management Errors
Exploit availability: No
DescriptionThe vulnerability allows a local user to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition within the TSX Asynchronous Abort (TAA) in Intel CPUs. The TAA condition, on some microprocessors utilizing speculative execution, may allow an authenticated user to potentially enable information disclosure via a side channel. MitigationUpdate the affected packages.
Opensuse: 15.0
External linkshttp://lists.opensuse.org/opensuse-security-announce/2019-11/msg00038.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
EUVDB-ID: #VU22783
Risk: Low
CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-12068
CWE-ID:
CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
Exploit availability: No
DescriptionThe vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop in lsi_execute_script() when reading empty opcode. A local user can consume all available system resources and cause denial of service conditions.
MitigationUpdate the affected packages.
Opensuse: 15.0
External linkshttp://lists.opensuse.org/opensuse-security-announce/2019-11/msg00038.html
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.