CVE-2019-11478 - log back

CVE-2019-11478 created at 25 Sep 2019 19:31:40
Severity
+ High
Remote
+ Remote
Type
+ Denial of service
Description
+ An excessive resource consumption flaw was found in the way the Linux kernel's networking subsystem processed TCP Selective Acknowledgment (SACK) segments. While processing SACK segments, the Linux kernel's socket buffer (SKB) data structure becomes fragmented, which leads to increased resource utilization to traverse and process these fragments as further SACK segments are received on the same TCP connection. A remote attacker could use this flaw to cause a denial of service (DoS) by sending a crafted sequence of SACK segments on a TCP connection.
References
+ https://www.openwall.com/lists/oss-security/2019/06/17/5
+ https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md
+ https://access.redhat.com/security/vulnerabilities/tcpsack
+ https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f070ef2ac66716357066b683fb0baf55f8191a2e
Notes
+ Workaround:
+
+ $ sudo sysctl -w net.ipv4.tcp_sack=0
+ net.ipv4.tcp_sack = 0
+
+ IMPORTANT: The sysctl modification shown above is not persistent across reboots