Bug 1765481 (CVE-2019-11139)

Summary: CVE-2019-11139 hw: voltage modulation technical advisory
Product: [Other] Security Response Reporter: Wade Mealing <wmealing>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aarapov, esyr, jarodwilson, jonathan, mikedep333, poros, ppandit, security-response-team, skozina, wmealing
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-25 22:12:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1766862, 1766863, 1766864, 1766865, 1766866, 1766867, 1766868, 1766869, 1766870, 1766871, 1766872, 1766873, 1766960, 1767761, 1771659    
Bug Blocks: 1752312    

Description Wade Mealing 2019-10-25 08:35:12 UTC 
A vulnerability in the voltage regulation unit for some Intel scalable processors may allow a denial of service may allow a local privileged user to crash the system.

The CVSSv3 score provided does by Intel does not match the above description and Red Hat would disagree this would be a DOS only under the provided score.  The provided score suggests that data modification is possible but with limited information this can not be proven or disproved.

A microcode update that addresses this issue will be released.
Comment 5 Wade Mealing 2019-11-12 08:25:54 UTC 
Acknowledgements:

Red Hat thanks Intel for reporting this issue and collaborating on the mitigations.
Comment 6 Prasad Pandit 2019-11-12 10:26:50 UTC 
Statement:

Red Hat Product Security is aware of this issue. Updates will be released as they become available. For additional information, please refer to the Red Hat Knowledgebase article: https://access.redhat.com/solutions/2019-microcode-nov
Comment 8 Prasad Pandit 2019-11-12 10:26:56 UTC 
Mitigation:

As of this time there are no known mitigations. Please install relevant updated packages to address this flaw.
Comment 9 Prasad Pandit 2019-11-12 18:16:39 UTC 
Created microcode_ctl tracking bugs for this issue:

Affects: fedora-all [bug 1771659]
Comment 10 Prasad Pandit 2019-11-12 18:42:22 UTC 
External References:

https://access.redhat.com/solutions/2019-microcode-nov
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00271.html