CVE-2019-15239
Publication date 20 August 2019
Last updated 24 July 2024
Ubuntu priority
In the Linux kernel, a certain net/ipv4/tcp_output.c change, which was properly incorporated into 4.16.12, was incorrectly backported to the earlier longterm kernels, introducing a new vulnerability that was potentially more severe than the issue that was intended to be fixed by backporting. Specifically, by adding to a write queue between disconnection and re-connection, a local attacker can trigger multiple use-after-free conditions. This can result in a kernel crash, or potentially in privilege escalation. NOTE: this affects (for example) Linux distributions that use 4.9.x longterm kernels before 4.9.190 or 4.14.x longterm kernels before 4.14.139.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| linux | ||
| 18.04 LTS bionic |
Not affected
|
|
| 16.04 LTS xenial |
Fixed 4.4.0-165.193
|
|
| 14.04 LTS trusty | Ignored | |
| linux-aws | ||
| 18.04 LTS bionic |
Not affected
|
|
| 16.04 LTS xenial |
Fixed 4.4.0-1095.106
|
|
| 14.04 LTS trusty | Ignored | |
| linux-aws-hwe | ||
| 18.04 LTS bionic | Not in release | |
| 16.04 LTS xenial |
Not affected
|
|
| 14.04 LTS trusty | Not in release | |
| linux-azure | ||
| 18.04 LTS bionic |
Not affected
|
|
| 16.04 LTS xenial |
Not affected
|
|
| 14.04 LTS trusty | Ignored | |
| linux-azure-edge | ||
| 18.04 LTS bionic |
Not affected
|
|
| 16.04 LTS xenial |
Not affected
|
|
| 14.04 LTS trusty | Not in release | |
| linux-gcp | ||
| 18.04 LTS bionic |
Not affected
|
|
| 16.04 LTS xenial |
Not affected
|
|
| 14.04 LTS trusty | Not in release | |
| linux-gcp-edge | ||
| 18.04 LTS bionic |
Not affected
|
|
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Not in release | |
| linux-gke-4.15 | ||
| 18.04 LTS bionic |
Not affected
|
|
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Not in release | |
| linux-gke-5.0 | ||
| 18.04 LTS bionic |
Not affected
|
|
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Not in release | |
| linux-hwe | ||
| 18.04 LTS bionic |
Not affected
|
|
| 16.04 LTS xenial |
Not affected
|
|
| 14.04 LTS trusty | Not in release | |
| linux-hwe-edge | ||
| 18.04 LTS bionic |
Not affected
|
|
| 16.04 LTS xenial |
Not affected
|
|
| 14.04 LTS trusty | Not in release | |
| linux-kvm | ||
| 18.04 LTS bionic |
Not affected
|
|
| 16.04 LTS xenial |
Fixed 4.4.0-1059.66
|
|
| 14.04 LTS trusty | Not in release | |
| linux-lts-trusty | ||
| 18.04 LTS bionic | Not in release | |
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Not in release | |
| linux-lts-xenial | ||
| 18.04 LTS bionic | Not in release | |
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Ignored | |
| linux-oem | ||
| 18.04 LTS bionic |
Not affected
|
|
| 16.04 LTS xenial | Ignored | |
| 14.04 LTS trusty | Not in release | |
| linux-oracle | ||
| 18.04 LTS bionic |
Not affected
|
|
| 16.04 LTS xenial |
Not affected
|
|
| 14.04 LTS trusty | Not in release | |
| linux-raspi2 | ||
| 18.04 LTS bionic |
Not affected
|
|
| 16.04 LTS xenial |
Fixed 4.4.0-1123.132
|
|
| 14.04 LTS trusty | Not in release | |
| linux-snapdragon | ||
| 18.04 LTS bionic |
Not affected
|
|
| 16.04 LTS xenial |
Fixed 4.4.0-1127.135
|
|
| 14.04 LTS trusty | Not in release |
Notes
sbeattie
This vulnerability was introduced when 7f582b248d0a86bae5788c548d7bb5bca6f7691a was incorrectly backported to stable kernels; the upstream kernel was prevented from being vulnerable because 75c119afe14f74b4dd967d75ed9f57ab6c0ef045 had landed prior to it. Thus, for the upstream kernel, the fix for the issue predates the commit that introduced the issue. link to xenial kernel git commit above demonstrates the fix that landed to address backport kernels.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
7.8 · High
|
| Attack vector | Local |
| Attack complexity | Low |
| Privileges required | Low |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
References
Other references
- https://pulsesecurity.co.nz/advisories/linux-kernel-4.9-tcpsocketsuaf
- https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7f582b248d0a86bae5788c548d7bb5bca6f7691a
- https://lore.kernel.org/stable/41a61a2f87691d2bc839f26cdfe6f5ff2f51e472.camel@decadent.org.uk/
- https://salsa.debian.org/kernel-team/kernel-sec/blob/f6273af2d956a87296b6b60379d0a186c9be4bbc/active/CVE-2019-15239
- https://www.debian.org/security/2019/dsa-4497
- https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/xenial/commit/?id=edff0f7fc52aa3fba1141755ae5aa008c51eb518
- https://www.cve.org/CVERecord?id=CVE-2019-15239