Bug 1724389 (CVE-2019-1125)

Summary: CVE-2019-1125 kernel: hw: Spectre SWAPGS gadget vulnerability
Product: [Other] Security Response Reporter: Wade Mealing <wmealing>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, ahardin, airlied, asavkov, bhu, blc, bleanhar, brdeoliv, bskeggs, ccoleman, chris.snell, cperry, dblechte, dedgar, dfediuck, dhoward, dvlasenk, eedri, esammons, fhrbata, gmollett, hdegoede, hkrzesin, iboverma, ichavero, itamar, jarodwilson, jcm, jeremy, jforbes, jglisse, jgoulding, jlelli, joe.lawrence, john.j5live, jonathan, josef, jpoimboe, jross, jshortt, jstancek, jwboyer, kernel-maint, kernel-mgr, labbott, lgoncalv, linville, matt, mchappel, mchehab, mcressma, mgoldboi, michal.skrivanek, mjg59, mlangsdo, mzibrick, nmurray, plougher, pmatouse, rhandlin, rt-maint, rvrbovsk, sbonazzo, security-response-team, sherold, skontar, steved, williams, yozone, yturgema
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A Spectre gadget was found in the Linux kernel's implementation of system interrupts. An attacker with local access could use this information to reveal private data through a Spectre like side channel.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-07 13:18:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1738287, 1738288, 1724500, 1724501, 1724502, 1724503, 1724504, 1724505, 1724506, 1724507, 1724508, 1724509, 1724510, 1724511, 1724512, 1724513, 1724514, 1724515, 1724516, 1724517, 1729810, 1733309, 1733310, 1733852, 1733853, 1733854, 1733855, 1733856, 1733858, 1733859, 1733876, 1734078, 1734623, 1734624, 1737703, 1738285    
Bug Blocks: 1724388, 1724661, 1724662, 1724663, 1724664, 1724665, 1724666    

Description Wade Mealing 2019-06-27 01:12:17 UTC 
An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimization).  This flaw is a variant on the previous "speculative execution" attack vectors.

A spectre-v1 like side-channel was found on the kernels implementation of system calls where a local user could use branch misprediction to create an observable timing changes which can inadvertently reveal private data.

Note: This flaw affects both Intel x86-64 and AMD Microprocessors.  Other non x86 architectures do not have this attack vector available.

Red Hat product security is not aware of a method that an attacker can use this method of attack directly, fixing this flaw as part of the larger speculative execution issues reduces this attack vector if one becomes known.

After installing the updated kernel package, the system will need to be rebooted for the changes to take effect.

Upstream patch set:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a2059825986a1c8143fd6698774fa9d83733bb11
Comment 20 Petr Matousek 2019-08-06 16:37:15 UTC 
Statement:

Red Hat Product Security is aware of this issue. Updates will be released as they become available. For additional information, please refer to the Red Hat Knowledgebase article:  https://access.redhat.com/articles/4329821
Comment 21 Petr Matousek 2019-08-06 16:37:18 UTC 
Mitigation:

For mitigation related information, please refer to the Red Hat Knowledgebase article:  https://access.redhat.com/articles/4329821
Comment 22 Petr Matousek 2019-08-06 17:02:25 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1738285]
Comment 24 errata-xmlrpc 2019-08-07 12:57:46 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:2405 https://access.redhat.com/errata/RHSA-2019:2405
Comment 25 Product Security DevOps Team 2019-08-07 13:18:17 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-1125
Comment 26 errata-xmlrpc 2019-08-07 15:18:33 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:2411 https://access.redhat.com/errata/RHSA-2019:2411
Comment 27 msiddiqu 2019-08-07 16:05:34 UTC 
Public Via: Whitepaper [1] by BitDefender and Article [2] by Intel 

[1] https://businessresources.bitdefender.com/speculatively-executing-segmentation-related-instructions-intel-cpus?utm_campaign=swapgs&utm_source=web 
[2] https://software.intel.com/security-software-guidance/insights/more-information-swapgs-and-speculative-only-segment-loads
Comment 28 errata-xmlrpc 2019-08-13 14:59:32 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2019:2473 https://access.redhat.com/errata/RHSA-2019:2473
Comment 29 errata-xmlrpc 2019-08-13 17:43:27 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.6 Advanced Update Support

Via RHSA-2019:2476 https://access.redhat.com/errata/RHSA-2019:2476
Comment 31 errata-xmlrpc 2019-09-03 17:41:07 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2600 https://access.redhat.com/errata/RHSA-2019:2600
Comment 32 errata-xmlrpc 2019-09-03 17:42:27 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2609 https://access.redhat.com/errata/RHSA-2019:2609
Comment 34 errata-xmlrpc 2019-09-10 10:27:43 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.5 Advanced Update Support

Via RHSA-2019:2695 https://access.redhat.com/errata/RHSA-2019:2695
Comment 35 errata-xmlrpc 2019-09-10 13:46:12 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Extended Update Support

Via RHSA-2019:2696 https://access.redhat.com/errata/RHSA-2019:2696
Comment 38 errata-xmlrpc 2019-09-11 09:09:23 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise MRG 2

Via RHSA-2019:2730 https://access.redhat.com/errata/RHSA-2019:2730
Comment 42 errata-xmlrpc 2019-09-25 12:17:26 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.2 Telco Extended Update Support
  Red Hat Enterprise Linux 7.2 Advanced Update Support
  Red Hat Enterprise Linux 7.2 Update Services for SAP Solutions

Via RHSA-2019:2899 https://access.redhat.com/errata/RHSA-2019:2899
Comment 43 errata-xmlrpc 2019-09-25 12:25:05 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.3 Telco Extended Update Support
  Red Hat Enterprise Linux 7.3 Advanced Update Support
  Red Hat Enterprise Linux 7.3 Update Services for SAP Solutions

Via RHSA-2019:2900 https://access.redhat.com/errata/RHSA-2019:2900
Comment 44 errata-xmlrpc 2019-10-08 09:59:49 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.5 Extended Update Support

Via RHSA-2019:2975 https://access.redhat.com/errata/RHSA-2019:2975
Comment 45 errata-xmlrpc 2019-10-10 15:37:16 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7

Via RHSA-2019:3011 https://access.redhat.com/errata/RHSA-2019:3011
Comment 46 errata-xmlrpc 2019-10-29 13:12:01 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Extended Update Support

Via RHSA-2019:3220 https://access.redhat.com/errata/RHSA-2019:3220
Comment 50 Sam Fowler 2020-05-18 06:37:39 UTC 
OpenShift Container Platform 4 does not ship its own kernel package, instead using versions shipped in RHEL. Removing from flaw bug affects.