CloudLinux - CloudLinux Blog - Don’t panic about TCP SACK PANIC—we’re working on it
Blog

Don’t panic about TCP SACK PANIC—we’re working on it

panic

Recently, TCP networking vulnerabilities have been discovered in FreeBSD and Linux kernels by Netflix.

There are three flaws, one of them is rated by severity as Important (CVE-2019-11477), and two as Moderate (CVE-2019-11478 and CVE-2019-11479).

What is the problem?

The flaws use the Maximum Segment Size (MSS) and TCP Selective Acknowledgement (SACK) capabilities. The most dangerous—TCP SACK PANIC allows a remote attacker to trigger kernel panic on Linux kernels. You can find the detail description here.

When the CloudLinux OS 6 & 7 kernels will be patched?

We are going to release patches with the fix for TCP SACK PANIC vulnerabilities for CloudLinux OS 6 & 7 to Beta tomorrow, to Stable upcoming Monday.

How to mitigate?

Red Hat specialists propose two mitigation options for CVE-2019-11477 and CVE-2019-11478 flaws: ”disable the vulnerable component, or use iptables to drop connections with an MSS size”. You can find the details here (Resolve tab, Mitigation section).

Sources

Modern UI and improved usability: now the updated...
EasyApache 4 updated
 

By accepting you will be accessing a service provided by a third-party external to https://www.cloudlinux.com/

EU e-Privacy Directive

We use cookies to ensure you get the best experience using our website and services. Read more about it in our Privacy Policy. Please agree to the use of cookies to proceed. Alternatively, you may disable cookies in your browser at any time.

You have declined cookies. This decision can be reversed.

You have allowed cookies to be placed on your computer. This decision can be reversed.