Bug 1753062 (CVE-2019-11135) - CVE-2019-11135 hw: TSX Transaction Asynchronous Abort (TAA)
Summary: CVE-2019-11135 hw: TSX Transaction Asynchronous Abort (TAA)
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-11135
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1766967 1764049 1764050 1764051 1764052 1764053 1764054 1764055 1764056 1764057 1764058 1764059 1764060 1766530 1766531 1766532 1766533 1766534 1766535 1766536 1766537 1766538 1766539 1766540 1766541 1766543 1766544 1766545 1766546 1766547 1766548 1766550 1766551 1766552 1766553 1766966 1766980 1766981 1766986 1770156 1770746 1770747 1771649 1771650 1771948 1771949 1771950 1771951 1771952 1771953 1771955 1771956 1771957 1771958 1771959 1771960 1771961 1771962 1771963 1771964 1771965 1771966 1771967 1771968 1771970 1771971 1771972 1771973 1779528 1779529 1779530 1779553 1779676 1779677 1779766 1779767 1779768 1779771 1782069 1782070
Blocks: 1752312 1768825 1768826 1768827 1768828 1768829 1768830
TreeView+ depends on / blocked
 
Reported: 2019-09-18 01:42 UTC by Wade Mealing
Modified: 2023-05-12 21:16 UTC (History)
96 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the way Intel CPUs handle speculative execution of instructions when the TSX Asynchronous Abort (TAA) error occurs. A local authenticated attacker with the ability to monitor execution times could infer the TSX memory state by comparing abort execution times. This could allow information disclosure via this observed side-channel for any TSX transaction being executed while an attacker is able to observe abort timing. Intel's Transactional Synchronisation Extensions (TSX) are set of instructions which enable transactional memory support to improve performance of the multi-threaded applications, in the lock-protected critical sections. The CPU executes instructions in the critical-sections as transactions, while ensuring their atomic state. When such transaction execution is unsuccessful, the processor cannot ensure atomic updates to the transaction memory, so the processor rolls back or aborts such transaction execution. While TSX Asynchronous Abort (TAA) is pending, CPU may continue to read data from architectural buffers and pass it to the dependent speculative operations. This may cause information leakage via speculative side-channel means, which is quite similar to the Microarchitectural Data Sampling (MDS) issue.
Clone Of:
Environment:
Last Closed: 2019-11-13 00:51:23 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:3866 0 None None None 2019-11-13 15:53:30 UTC
Red Hat Product Errata RHBA-2019:3886 0 None None None 2019-11-14 15:29:59 UTC
Red Hat Product Errata RHBA-2019:4120 0 None None None 2019-12-09 21:41:33 UTC
Red Hat Product Errata RHEA-2019:3845 0 None None None 2019-11-12 21:37:07 UTC
Red Hat Product Errata RHEA-2019:3846 0 None None None 2019-11-12 22:38:10 UTC
Red Hat Product Errata RHSA-2019:3832 0 None None None 2019-11-12 19:53:58 UTC
Red Hat Product Errata RHSA-2019:3833 0 None None None 2019-11-12 19:08:55 UTC
Red Hat Product Errata RHSA-2019:3834 0 None None None 2019-11-12 20:46:59 UTC
Red Hat Product Errata RHSA-2019:3835 0 None None None 2019-11-12 19:25:30 UTC
Red Hat Product Errata RHSA-2019:3836 0 None None None 2019-11-12 20:57:17 UTC
Red Hat Product Errata RHSA-2019:3837 0 None None None 2019-11-12 20:44:48 UTC
Red Hat Product Errata RHSA-2019:3838 0 None None None 2019-11-12 20:45:48 UTC
Red Hat Product Errata RHSA-2019:3839 0 None None None 2019-11-12 21:33:40 UTC
Red Hat Product Errata RHSA-2019:3840 0 None None None 2019-11-12 21:19:14 UTC
Red Hat Product Errata RHSA-2019:3841 0 None None None 2019-11-12 20:58:59 UTC
Red Hat Product Errata RHSA-2019:3842 0 None None None 2019-11-12 21:09:19 UTC
Red Hat Product Errata RHSA-2019:3843 0 None None None 2019-11-12 21:10:18 UTC
Red Hat Product Errata RHSA-2019:3844 0 None None None 2019-11-12 21:07:49 UTC
Red Hat Product Errata RHSA-2019:3860 0 None None None 2019-11-12 20:10:43 UTC
Red Hat Product Errata RHSA-2019:3936 0 None None None 2019-11-20 20:50:46 UTC
Red Hat Product Errata RHSA-2020:0026 0 None None None 2020-01-06 14:12:26 UTC
Red Hat Product Errata RHSA-2020:0028 0 None None None 2020-01-06 14:41:02 UTC
Red Hat Product Errata RHSA-2020:0204 0 None None None 2020-01-22 21:25:05 UTC
Red Hat Product Errata RHSA-2020:0279 0 None None None 2020-01-29 14:16:37 UTC
Red Hat Product Errata RHSA-2020:0366 0 None None None 2020-02-04 19:29:43 UTC
Red Hat Product Errata RHSA-2020:0555 0 None None None 2020-02-19 18:58:06 UTC
Red Hat Product Errata RHSA-2020:0666 0 None None None 2020-03-03 15:17:58 UTC
Red Hat Product Errata RHSA-2020:0730 0 None None None 2020-03-05 15:04:55 UTC

Description Wade Mealing 2019-09-18 01:42:31 UTC 
A flaw was found in the implementation of Intel Transactional Synchronization Extensions (TSX) abortion where a local authenticated attacker with the ability to monitor execution time is able to infer TSX memory state by comparing abort execution times.

This could allow information disclosure via this observed sidechannel for any TSX transaction being executed while an attacker is able to observe abort timing.
Comment 16 Prasad Pandit 2019-11-12 09:05:14 UTC 
Mitigation:

For mitigation related information, please refer to the Red Hat Knowledgebase article:  https://access.redhat.com/solutions/tsx-asynchronousabort
Comment 19 Prasad Pandit 2019-11-12 18:08:27 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1771649]


Created microcode_ctl tracking bugs for this issue:

Affects: fedora-all [bug 1771650]
Comment 20 Petr Matousek 2019-11-12 18:13:23 UTC 
External References:

https://access.redhat.com/solutions/tsx-asynchronousabort
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00270.html
Comment 21 errata-xmlrpc 2019-11-12 19:08:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:3833 https://access.redhat.com/errata/RHSA-2019:3833
Comment 22 errata-xmlrpc 2019-11-12 19:25:27 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:3835 https://access.redhat.com/errata/RHSA-2019:3835
Comment 23 errata-xmlrpc 2019-11-12 19:53:55 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:3832 https://access.redhat.com/errata/RHSA-2019:3832
Comment 24 errata-xmlrpc 2019-11-12 20:10:39 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4.2 for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7

Via RHSA-2019:3860 https://access.redhat.com/errata/RHSA-2019:3860
Comment 25 errata-xmlrpc 2019-11-12 20:44:45 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Extended Update Support

Via RHSA-2019:3837 https://access.redhat.com/errata/RHSA-2019:3837
Comment 26 errata-xmlrpc 2019-11-12 20:45:45 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.5 Extended Update Support

Via RHSA-2019:3838 https://access.redhat.com/errata/RHSA-2019:3838
Comment 27 errata-xmlrpc 2019-11-12 20:46:56 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:3834 https://access.redhat.com/errata/RHSA-2019:3834
Comment 28 errata-xmlrpc 2019-11-12 20:57:14 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2019:3836 https://access.redhat.com/errata/RHSA-2019:3836
Comment 29 errata-xmlrpc 2019-11-12 20:58:56 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.2 Telco Extended Update Support
  Red Hat Enterprise Linux 7.2 Advanced Update Support
  Red Hat Enterprise Linux 7.2 Update Services for SAP Solutions

Via RHSA-2019:3841 https://access.redhat.com/errata/RHSA-2019:3841
Comment 30 errata-xmlrpc 2019-11-12 21:07:45 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise MRG 2

Via RHSA-2019:3844 https://access.redhat.com/errata/RHSA-2019:3844
Comment 31 errata-xmlrpc 2019-11-12 21:09:15 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.6 Advanced Update Support

Via RHSA-2019:3842 https://access.redhat.com/errata/RHSA-2019:3842
Comment 32 errata-xmlrpc 2019-11-12 21:10:14 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.5 Advanced Update Support

Via RHSA-2019:3843 https://access.redhat.com/errata/RHSA-2019:3843
Comment 33 errata-xmlrpc 2019-11-12 21:19:10 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.3 Telco Extended Update Support
  Red Hat Enterprise Linux 7.3 Advanced Update Support
  Red Hat Enterprise Linux 7.3 Update Services for SAP Solutions

Via RHSA-2019:3840 https://access.redhat.com/errata/RHSA-2019:3840
Comment 34 errata-xmlrpc 2019-11-12 21:33:37 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Advanced Update Support
  Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.4 Telco Extended Update Support

Via RHSA-2019:3839 https://access.redhat.com/errata/RHSA-2019:3839
Comment 35 Product Security DevOps Team 2019-11-13 00:51:23 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-11135
Comment 43 errata-xmlrpc 2019-11-20 20:50:42 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:3936 https://access.redhat.com/errata/RHSA-2019:3936
Comment 64 errata-xmlrpc 2020-01-06 14:12:22 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Extended Update Support

Via RHSA-2020:0026 https://access.redhat.com/errata/RHSA-2020:0026
Comment 65 errata-xmlrpc 2020-01-06 14:40:55 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:0028 https://access.redhat.com/errata/RHSA-2020:0028
Comment 66 errata-xmlrpc 2020-01-22 21:25:01 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:0204 https://access.redhat.com/errata/RHSA-2020:0204
Comment 68 errata-xmlrpc 2020-01-29 14:16:32 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:0279 https://access.redhat.com/errata/RHSA-2020:0279
Comment 69 errata-xmlrpc 2020-02-04 19:29:37 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:0366 https://access.redhat.com/errata/RHSA-2020:0366
Comment 70 errata-xmlrpc 2020-02-19 18:58:02 UTC 
This issue has been addressed in the following products:

  Advanced Virtualization for RHEL 8.1.0

Via RHSA-2020:0555 https://access.redhat.com/errata/RHSA-2020:0555
Comment 71 errata-xmlrpc 2020-03-03 15:17:53 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Extended Update Support

Via RHSA-2020:0666 https://access.redhat.com/errata/RHSA-2020:0666
Comment 72 errata-xmlrpc 2020-03-05 15:04:50 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization Engine 4.2

Via RHSA-2020:0730 https://access.redhat.com/errata/RHSA-2020:0730
Comment 76 Doran Moppert 2021-02-01 06:18:02 UTC 
Statement:

libvirt and qemu-kvm on Red Hat Enterprise Linux 6 are not affected by this vulnerability as they do not support MSR-based CPU features.
Note You need to log in before you can comment on or make changes to this bug.