National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

CVE-2009-2910 Detail

Description

arch/x86/ia32/ia32entry.S in the Linux kernel before 2.6.31.4 on the x86_64 platform does not clear certain kernel registers before a return to user mode, which allows local users to read register values from an earlier process by switching an ia32 process to 64-bit mode.

Source:  MITRE      Last Modified:  10/20/2009

Quick Info

CVE Dictionary Entry:
CVE-2009-2910
Original release date:
10/20/2009
Last revised:
09/18/2017
Source:
US-CERT/NIST

Impact

CVSS Severity (version 2.0):
CVSS v2 Base Score:
4.9 MEDIUM
Vector:
(AV:L/AC:L/Au:N/C:C/I:N/A:N) (legend)
Impact Subscore:
6.9
Exploitability Subscore:
3.9
CVSS Version 2 Metrics:
Access Vector:
Locally exploitable
Access Complexity:
Low
Authentication:
Not required to exploit
Impact Type:
Allows unauthorized disclosure of information

Vendor Statements (disclaimer)

Official Statement from Red Hat (01/21/2010)

Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/CVE-2009-2910 It has been rated as having moderate security impact. It was addressed in Red Hat Enterprise Linux 4, 5 and Red Hat Enterprise MRG via: https://rhn.redhat.com/errata/RHSA-2009-1671.html , https://rhn.redhat.com/errata/RHSA-2010-0046.html and https://rhn.redhat.com/errata/RHSA-2009-1540.html respectively. This issue is not planned to be fixed in Red Hat Enterprise Linux 3, due to this product being in Production 3 of its maintenance life-cycle, where only qualified security errata of important and critical impact are addressed. For further information about Errata Support Policy, visit: http://www.redhat.com/security/updates/errata/

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

Hyperlink Resource Type Source Name
http://git.kernel.org/?p=linux/kernel/git/x86/linux-2.6-tip.git;a=commit;h=24e35800cdc4350fc34e2bed37b608a9e13ab3b6 Patch External Source CONFIRM http://git.kernel.org/?p=linux/kernel/git/x86/linux-2.6-tip.git;a=commit;h=24e35800cdc4350fc34e2bed37b608a9e13ab3b6
http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00005.html External Source SUSE SUSE-SA:2009:054
http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00007.html External Source SUSE SUSE-SA:2009:056
http://lists.opensuse.org/opensuse-security-announce/2010-02/msg00005.html External Source SUSE SUSE-SA:2010:012
http://lkml.org/lkml/2009/10/1/164 External Source MLIST [linux-kernel] 20091001 [tip:x86/urgent] x86: Don't leak 64-bit kernel register values to 32-bit processes
http://marc.info/?l=oss-security&m=125442304214452&w=2 External Source MLIST [oss-security] 20091001 CVE Request (kernel)
http://marc.info/?l=oss-security&m=125444390112831&w=2 External Source MLIST [oss-security] 20091002 Re: CVE Request (kernel)
http://marc.info/?l=oss-security&m=125511635004768&w=2 External Source MLIST [oss-security] 20091009 Re: CVE Request (kernel)
http://support.avaya.com/css/P8/documents/100073666 External Source CONFIRM http://support.avaya.com/css/P8/documents/100073666
http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.31.4 Vendor Advisory External Source CONFIRM http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.31.4
http://www.openwall.com/lists/oss-security/2009/10/02/1 External Source MLIST [oss-security] 20091001 Re: CVE Request (kernel)
http://www.redhat.com/support/errata/RHSA-2009-1671.html External Source REDHAT RHSA-2009:1671
http://www.securityfocus.com/bid/36576 External Source BID 36576
http://www.ubuntu.com/usn/usn-864-1 External Source UBUNTU USN-864-1
https://bugzilla.redhat.com/show_bug.cgi?id=526788 Patch External Source CONFIRM https://bugzilla.redhat.com/show_bug.cgi?id=526788
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10823 External Source OVAL oval:org.mitre.oval:def:10823
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7359 External Source OVAL oval:org.mitre.oval:def:7359
https://rhn.redhat.com/errata/RHSA-2009-1540.html External Source REDHAT RHSA-2009:1540
https://rhn.redhat.com/errata/RHSA-2010-0046.html External Source REDHAT RHSA-2010:0046
https://rhn.redhat.com/errata/RHSA-2010-0095.html External Source REDHAT RHSA-2010:0095
https://www.redhat.com/archives/fedora-package-announce/2009-October/msg00483.html Patch External Source FEDORA FEDORA-2009-10525

References to Check Content

Identifier:
oval:org.mitre.oval:def:10823
Check System:
http://oval.mitre.org/XMLSchema/oval-definitions-5
Hyperlink:
http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:10823
Identifier:
oval:org.mitre.oval:def:7359
Check System:
http://oval.mitre.org/XMLSchema/oval-definitions-5
Hyperlink:
http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:7359

Technical Details

Vulnerability Type (View All)

  • Information Leak / Disclosure (CWE-200)

Vulnerable software and versions Switch to CPE 2.2

Configuration 1
OR
cpe:2.3:o:linux:linux_kernel:2.2.27:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.4.1:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.4.2:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.4.3:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.4.4:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.4.5:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.4.6:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.4.7:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.4.8:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.4.9:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.4.10:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.4.11:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.4.12:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.4.13:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.4.14:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.4.15:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.4.16:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.4.17:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.4.18:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.4.18:*:pre-1:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.4.18:*:pre-2:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.4.18:*:pre-3:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.4.18:*:pre-4:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.4.18:*:pre-5:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.4.18:*:pre-6:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.4.18:*:pre-7:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.4.18:*:pre-8:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.4.18:*:x86:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.4.19:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.4.19:*:-pre1:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.4.19:*:-pre2:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.4.19:*:-pre3:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.4.19:*:-pre4:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.4.19:*:-pre5:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.4.19:*:-pre6:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.4.20:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.4.21:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.4.21:*:-pre1:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.4.21:*:-pre4:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.4.21:*:-pre7:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.4.22:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.4.23:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.4.23:*:-ow2:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.4.23:*:-pre9:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.4.24:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.4.24:*:-ow1:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.4.25:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.4.26:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.4.27:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.4.27:*:-pre1:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.4.27:*:-pre2:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.4.27:*:-pre3:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.4.27:*:-pre4:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.4.27:*:-pre5:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.4.28:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.4.29:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.4.29:-rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.4.29:-rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.4.30:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.4.30:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.4.30:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.4.31:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.4.31:-pre1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.4.32:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.4.32:-pre1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.4.32:-pre2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.4.33:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.4.33:p-re1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.4.33.1:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.4.33.2:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.4.33.3:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.4.33.4:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.4.33.5:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.4.33.7:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.4.34:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.4.34.1:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.4.34.2:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.4.34.3:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.4.34.4:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.4.34.5:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.4.34.6:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.4.35.1:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.4.35.2:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.4.35.3:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.4.35.4:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.4.35.5:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.4.36:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.4.36.1:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.4.36.2:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.4.36.3:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.4.36.4:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.4.36.5:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.4.36.6:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.4.36.7:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.4.36.8:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.4.36.9:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.4.37:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.4.37:-rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.4.37.1:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.4.37.2:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:2.4.37.3:*:*:*:*:*:*:*
Showing 100 of 483 CPEs, view all CPEs here.

Denotes Vulnerable Software
Are we missing a CPE here? Please let us know.

Change History 2 change records found - show changes