{
  "threat_severity" : "Low",
  "public_date" : "2020-03-02T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: sync of excessive duration via an XFS v5 image with crafted metadata",
    "id" : "1832543",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1832543"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-20->CWE-835",
  "details" : [ "An issue was discovered in xfs_agf_verify in fs/xfs/libxfs/xfs_alloc.c in the Linux kernel through 5.6.10. Attackers may trigger a sync of excessive duration via an XFS v5 image with crafted metadata, aka CID-d0c7feaf8767.", "A flaw was discovered in the XFS source in the Linux kernel. This flaw allows an attacker with the ability to mount an XFS filesystem, to trigger a denial of service while attempting to sync a file located on an XFS v5 image with crafted metadata." ],
  "statement" : "This issue is rated as having Low impact because of the preconditions needed to trigger it (administrative account or physical access).",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 7",
    "release_date" : "2020-08-25T00:00:00Z",
    "advisory" : "RHSA-2020:3545",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7",
    "package" : "kernel-alt-0:4.14.0-115.29.1.el7a"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2020-11-04T00:00:00Z",
    "advisory" : "RHSA-2020:4609",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8::nfv",
    "package" : "kernel-rt-0:4.18.0-240.rt7.54.el8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2020-11-04T00:00:00Z",
    "advisory" : "RHSA-2020:4431",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "kernel-0:4.18.0-240.el8"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 5",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Fix deferred",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise MRG 2",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/a:redhat:enterprise_mrg:2"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2020-12655\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-12655" ],
  "name" : "CVE-2020-12655",
  "mitigation" : {
    "value" : "This flaw requires an attacker being able to have the system mount a crafted filesystem.\nIf the xfs filesystem is not in use, the 'xfs' kernel module can be blacklisted and the module\nwill not be loaded when the filesystem is mounted, mounting will fail.\nHowever, if this filesystem is in use, this workaround will not be suitable.\nTo find out how to blacklist the \"xfs\" kernel module please see https://access.redhat.com/solutions/41278 or contact Red hat Global Support services",
    "lang" : "en:us"
  },
  "csaw" : false
}