The Linux Kernel SACK vulnerabilities have been fixed. This section describes the solution to these vulnerabilities.
Vulnerability Details
On June 18, 2019, Red Hat released a security notice, stating that three security vulnerabilities (CVE-2019-11477, CVE-2019-11478, and CVE-2019-11479) were found on the TCP SACK module of the Linux kernel. These vulnerabilities are related to the maximum segment size (MSS) and TCP selective acknowledgment (SACK) packets. Remote attackers can exploit these vulnerabilities to trigger a denial of service (DoS), resulting in server unavailability or breakdown.
Helpful links:
https://www.suse.com/support/kb/doc/?id=7023928
https://access.redhat.com/security/vulnerabilities/tcpsack
https://www.debian.org/lts/security/2019/dla-1823
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SACKPanic?
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md
Type |
CVE-ID |
Discovered |
Fixed |
|---|---|---|---|
Input validation flaw |
2019-06-17 |
2019-07-06 |
|
Resource management flaw |
2019-06-17 |
2019-07-06 |
|
Resource management flaw |
2019-06-17 |
2019-07-06 |
Impact
Linux 2.6.29 and later versions (CVE-2019-11477)
Solution
- EulerOS 2.2 supports an upgrade to the kernel version 3.10.0-327.62.59.83.h162.x86_64.
- The node must be accessible to external networks. After the kernel is upgraded, restart the system.
- The following errors may be encountered during the upgrade. However, they do not affect system functions and can be ignored.
depmod: ERROR: fstatat(9, vport-gre.ko): No such file or directory depmod: ERROR: fstatat(9, vport-vxlan.ko): No such file or directory depmod: ERROR: fstatat(9, vport-geneve.ko): No such file or directory depmod: ERROR: fstatat(9, openvswitch.ko): No such file or directory depmod: ERROR: fstatat(5, vport-gre.ko): No such file or directory depmod: ERROR: fstatat(5, vport-vxlan.ko): No such file or directory depmod: ERROR: fstatat(5, vport-geneve.ko): No such file or directory depmod: ERROR: fstatat(5, openvswitch.ko): No such file or directory
- Log in to the node as the root user and run the following command to update the kernel:
yum update kernel -y
- When the yum update command is used to upgrade the operating system, container network components could become unavailable. Run the following command to restore the components:
#!/bin/bash function upgrade_kmod() { openvswicth_mod_path=$(rpm -qal openvswitch-kmod) rpm_version=$(rpm -qal openvswitch-kmod|grep -w openvswitch|head -1|awk -F "/" '{print $4}') sys_version=`cat /boot/grub2/grub.cfg | grep EulerOS|awk 'NR==1{print $3}' | sed 's/[()]//g'` if [[ "${rpm_version}" != "${sys_version}" ]];then mkdir -p /lib/modules/"${sys_version}"/extra/openvswitch for path in ${openvswicth_mod_path[@]};do name=$(echo "$path" | awk -F "/" '{print $NF}') rm -f /lib/modules/"${sys_version}"/updates/"${name}" rm -f /lib/modules/"${sys_version}"/extra/openvswitch/"${name}" ln -s "${path}" /lib/modules/"${sys_version}"/extra/openvswitch/"${name}" done fi depmod ${sys_version} } upgrade_kmod - Restart the VM.
reboot