Bugzilla – Bug 1174246
VUL-0: CVE-2019-14560: ovmf: improper check of GetEfiGlobalVariable2() return can potentially lead to to secure boot bypass
Last modified: 2024-06-07 07:41:22 UTC
CVE-2019-14560 A flaw was found in edk2. Function GetEfiGlobalVariable2() return value is not checked possibly leading to secure boot bypass if an attacker can cause the API to fail. References: https://bugzilla.tianocore.org/show_bug.cgi?id=2167 References: https://bugzilla.redhat.com/show_bug.cgi?id=1858038 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-14560 https://access.redhat.com/security/cve/CVE-2019-14560
Tracked as affected all codestreams that are: SLE12-SP2,SP3,SP4 SLE15 and SLE15-SP2
Although a patch was proposed in edk2 upstream bugzilla, but the developer never sent the patch for review so there is no fix merged into edk2 git now...
- SUSE:SLE-12-SP2:Update/ovmf 2015+git1462940744.321151f [sent, IBS SR#295124] - SUSE:SLE-12-SP3:Update/ovmf 2017+git1492060560.b6d11d7c46 [sent, IBS SR#295116] - SUSE:SLE-12-SP4:Update/ovmf 2017+git1510945757.b2662641d5 [sent, IBS SR#295104] - SUSE:SLE-15-SP2:Update/ovmf 201911 [accepted, IBS SR#294942] - SUSE:SLE-15-SP3:Update/ovmf 202008 [accepted, IBS SR#294651] - SUSE:SLE-15-SP4:Update/ovmf 202202 - SUSE:SLE-15-SP5:GA 202208 [sent, IBS SR#294652] - SUSE:SLE-15:Update/ovmf 2017+git1510945757.b2662641d5 [accepted, IBS SR#295084] - openSUSE:Factory/ovmf 202302
SUSE-SU-2023:1921-1: An update that solves two vulnerabilities can now be installed. Category: security (important) Bug References: 1174246, 1196741 CVE References: CVE-2019-14560, CVE-2021-38578 Sources used: SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): ovmf-201911-150200.7.27.1 SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): ovmf-201911-150200.7.27.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): ovmf-201911-150200.7.27.1 SUSE Enterprise Storage 7 (src): ovmf-201911-150200.7.27.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:1941-1: An update that solves two vulnerabilities can now be installed. Category: security (important) Bug References: 1174246, 1196741 CVE References: CVE-2019-14560, CVE-2021-38578 Sources used: SUSE OpenStack Cloud 9 (src): ovmf-2017+git1510945757.b2662641d5-3.41.2 SUSE OpenStack Cloud Crowbar 9 (src): ovmf-2017+git1510945757.b2662641d5-3.41.2 SUSE Linux Enterprise Server for SAP Applications 12 SP4 (src): ovmf-2017+git1510945757.b2662641d5-3.41.2 SUSE Linux Enterprise Server 12 SP4 ESPOS 12-SP4 (src): ovmf-2017+git1510945757.b2662641d5-3.41.2 SUSE Linux Enterprise Server 12 SP4 LTSS 12-SP4 (src): ovmf-2017+git1510945757.b2662641d5-3.41.2 SUSE Linux Enterprise High Performance Computing 12 SP5 (src): ovmf-2017+git1510945757.b2662641d5-3.41.2 SUSE Linux Enterprise Server 12 SP5 (src): ovmf-2017+git1510945757.b2662641d5-3.41.2 SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): ovmf-2017+git1510945757.b2662641d5-3.41.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:1940-1: An update that solves two vulnerabilities can now be installed. Category: security (important) Bug References: 1174246, 1196741 CVE References: CVE-2019-14560, CVE-2021-38578 Sources used: SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): ovmf-2017+git1510945757.b2662641d5-150000.5.46.1 SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): ovmf-2017+git1510945757.b2662641d5-150000.5.46.1 SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): ovmf-2017+git1510945757.b2662641d5-150000.5.46.1 SUSE CaaS Platform 4.0 (src): ovmf-2017+git1510945757.b2662641d5-150000.5.46.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:1958-1: An update that solves two vulnerabilities can now be installed. Category: security (important) Bug References: 1174246, 1196741 CVE References: CVE-2019-14560, CVE-2021-38578 Sources used: SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): ovmf-202008-150300.10.20.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): ovmf-202008-150300.10.20.1 SUSE Linux Enterprise Real Time 15 SP3 (src): ovmf-202008-150300.10.20.1 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): ovmf-202008-150300.10.20.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): ovmf-202008-150300.10.20.1 SUSE Manager Proxy 4.2 (src): ovmf-202008-150300.10.20.1 SUSE Manager Retail Branch Server 4.2 (src): ovmf-202008-150300.10.20.1 SUSE Manager Server 4.2 (src): ovmf-202008-150300.10.20.1 SUSE Enterprise Storage 7.1 (src): ovmf-202008-150300.10.20.1 SUSE Linux Enterprise Micro 5.1 (src): ovmf-202008-150300.10.20.1 SUSE Linux Enterprise Micro 5.2 (src): ovmf-202008-150300.10.20.1 SUSE Linux Enterprise Micro for Rancher 5.2 (src): ovmf-202008-150300.10.20.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:1968-1: An update that solves two vulnerabilities can now be installed. Category: security (important) Bug References: 1174246, 1196741 CVE References: CVE-2019-14560, CVE-2021-38578 Sources used: SUSE Linux Enterprise Server 12 SP2 BCL 12-SP2 (src): ovmf-2015+git1462940744.321151f-19.26.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
- SUSE:SLE-12-SP2:Update/ovmf 2015+git1462940744.321151f [accepted, IBS SR#295124] - SUSE:SLE-12-SP3:Update/ovmf 2017+git1492060560.b6d11d7c46 [accepted, IBS SR#295116] - SUSE:SLE-12-SP4:Update/ovmf 2017+git1510945757.b2662641d5 [accepted, IBS SR#295104] - SUSE:SLE-15-SP2:Update/ovmf 201911 [accepted, IBS SR#294942] - SUSE:SLE-15-SP3:Update/ovmf 202008 [accepted, IBS SR#294651] - SUSE:SLE-15-SP4:Update/ovmf 202202 [sent, IBS SR#298093] - SUSE:SLE-15-SP5:GA 202208 [accepted, IBS SR#294652] - SUSE:SLE-15:Update/ovmf 2017+git1510945757.b2662641d5 [accepted, IBS SR#295084] - openSUSE:Factory/ovmf 202302
(In reply to Joey Lee from comment #27) [...snip] > - SUSE:SLE-15-SP4:Update/ovmf 202202 [sent, IBS SR#298093] Re-submit to 15-SP4 with bsc#1196741 fixing: https://build.suse.de/request/show/298094
SUSE-SU-2023:2234-1: An update that solves two vulnerabilities and has one fix can now be installed. Category: security (important) Bug References: 1174246, 1196741, 1205613 CVE References: CVE-2019-14560, CVE-2021-38578 Sources used: openSUSE Leap Micro 5.3 (src): ovmf-202202-150400.5.10.1 openSUSE Leap 15.4 (src): ovmf-202202-150400.5.10.1 SUSE Linux Enterprise Micro for Rancher 5.3 (src): ovmf-202202-150400.5.10.1 SUSE Linux Enterprise Micro 5.3 (src): ovmf-202202-150400.5.10.1 SUSE Linux Enterprise Micro for Rancher 5.4 (src): ovmf-202202-150400.5.10.1 SUSE Linux Enterprise Micro 5.4 (src): ovmf-202202-150400.5.10.1 Server Applications Module 15-SP4 (src): ovmf-202202-150400.5.10.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
(In reply to Joey Lee from comment #29) > (In reply to Joey Lee from comment #27) > [...snip] > > - SUSE:SLE-15-SP4:Update/ovmf 202202 [sent, IBS SR#298093] > > Re-submit to 15-SP4 with bsc#1196741 fixing: > > https://build.suse.de/request/show/298094 The patch be merged to SLE/ovmf. Reset assigner.