ASA-201906-12 - log back

ASA-201906-12 created at 25 Sep 2019 19:32:14
Workaround
+ - CVE-2019-11477 and CVE-2019-11478
+
+ $ sudo sysctl -w net.ipv4.tcp_sack=0
+
+ The mitigation described below for CVE-2019-11479 is also sufficient for CVE-2019-11477 and CVE-2019-11478 if disabling TCP SACK support is not viable.
+
+ - CVE-2019-11479
+
+ $ sudo iptables -A INPUT -p tcp -m tcpmss --mss 1:500 -j DROP
+
+ The net.ipv4.tcp_mtu_probing sysctl must be disabled (set to 0) when using the iptables rules shown above.
Impact
+ A remote attacker is able to crash the system by sending specially crafted TCP packets.