CVE-2019-11478 log

Source
Severity High
Remote Yes
Type Denial of service
Description
An excessive resource consumption flaw was found in the way the Linux kernel's networking subsystem processed TCP Selective Acknowledgment (SACK) segments. While processing SACK segments, the Linux kernel's socket buffer (SKB) data structure becomes fragmented, which leads to increased resource utilization to traverse and process these fragments as further SACK segments are received on the same TCP connection. A remote attacker could use this flaw to cause a denial of service (DoS) by sending a crafted sequence of SACK segments on a TCP connection.
Group Package Affected Fixed Severity Status Ticket
AVG-986 linux-hardened 5.1.10.a-1 5.1.11.a-1 High Fixed
AVG-985 linux-zen 5.1.10.zen1-1 5.1.11.zen1-1 High Fixed
AVG-984 linux-lts 4.19.51-1 4.19.52-1 High Fixed
AVG-983 linux 5.1.10.arch1-1 5.1.11.arch1-1 High Fixed
Date Advisory Group Package Severity Description
18 Jun 2019 ASA-201906-15 AVG-985 linux-zen High denial of service
18 Jun 2019 ASA-201906-14 AVG-984 linux-lts High denial of service
18 Jun 2019 ASA-201906-13 AVG-983 linux High denial of service
17 Jun 2019 ASA-201906-12 AVG-986 linux-hardened High denial of service
References
https://www.openwall.com/lists/oss-security/2019/06/17/5
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md
https://access.redhat.com/security/vulnerabilities/tcpsack
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f070ef2ac66716357066b683fb0baf55f8191a2e
Notes
Workaround:

$ sudo sysctl -w net.ipv4.tcp_sack=0
net.ipv4.tcp_sack = 0

IMPORTANT: The sysctl modification shown above is not persistent across reboots