• Cloud Container Engine

cce
  1. Help Center
  2. Cloud Container Engine
  3. User Guide 2.0
  4. Reference
  5. Solution to the Linux Kernel SACK Vulnerabilities

Solution to the Linux Kernel SACK Vulnerabilities

The CCE team has provided a solution to fixing the recent SACK vulnerabilities in Linux kernel.

Vulnerability Details

On June 18, 2019, Red Hat released a security notice, stating that the TCP SACK module of the Linux kernel is exposed to three security vulnerabilities (CVE-2019-11477, CVE-2019-11478, and CVE-2019-11479). These vulnerabilities are related to the maximum segment size (MSS) and TCP Selective Acknowledgment (SACK) packets. Remote attackers can exploit these vulnerabilities to trigger a denial of service (DoS), resulting in server unavailability or breakdown.

Reference links:

https://www.suse.com/support/kb/doc/?id=7023928

https://access.redhat.com/security/vulnerabilities/tcpsack

https://www.debian.org/lts/security/2019/dla-1823

https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SACKPanic?

https://lists.centos.org/pipermail/centos-announce/2019-June/023332.html

https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md

Table 1 Vulnerability information

Vulnerability Type

CVE-ID

Published

Fixed

Input validation flaw

CVE-2019-11477

2019-06-17

2019-07-06

Resource management flaw

CVE-2019-11478

2019-06-17

2019-07-06

Resource management flaw

CVE-2019-11479

2019-06-17

2019-07-06

Affected Products

Linux kernel version 2.6.29 and later

Solution

  • EulerOS 2.2 supports kernel upgrade to 3.10.0-327.62.59.83.h162.x86_64.
  • CentOS 7.4 supports kernel upgrade to 3.10.0-957.21.3.e17.x86_64.
  • Nodes must have EIPs. Nodes must be restarted after the kernel upgrade is complete.
  • The following error messages displayed during the upgrade are normal and do not affect the upgrade.
    depmod: ERROR: fstatat(9, vport-gre.ko): No such file or directory
    depmod: ERROR: fstatat(9, vport-vxlan.ko): No such file or directory
    depmod: ERROR: fstatat(9, vport-geneve.ko): No such file or directory
    depmod: ERROR: fstatat(9, openvswitch.ko): No such file or directory
    depmod: ERROR: fstatat(5, vport-gre.ko): No such file or directory
    depmod: ERROR: fstatat(5, vport-vxlan.ko): No such file or directory
    depmod: ERROR: fstatat(5, vport-geneve.ko): No such file or directory
    depmod: ERROR: fstatat(5, openvswitch.ko): No such file or directory
  1. Log in to a worker node as user root, and run the following command to upgrade the kernel:

    yum update kernel -y

  2. After the OS is upgraded by using yum update, container network components become unavailable. Run the following commands to restore the components:

    #!/bin/bash
    function upgrade_kmod()
    {
        openvswicth_mod_path=$(rpm -qal openvswitch-kmod)
        rpm_version=$(rpm -qal openvswitch-kmod|grep -w openvswitch|head -1|awk -F "/" '{print $4}')
        sys_version=`cat /boot/grub2/grub.cfg | grep EulerOS|awk 'NR==1{print $3}' | sed 's/[()]//g'`
    
        if [[ "${rpm_version}" != "${sys_version}" ]];then
            mkdir -p /lib/modules/"${sys_version}"/extra/openvswitch
            for path in ${openvswicth_mod_path[@]};do
                name=$(echo "$path" | awk -F "/" '{print $NF}')
                rm -f /lib/modules/"${sys_version}"/updates/"${name}"
    			rm -f /lib/modules/"${sys_version}"/extra/openvswitch/"${name}"
                ln -s "${path}" /lib/modules/"${sys_version}"/extra/openvswitch/"${name}"
            done
        fi
    	depmod ${sys_version}
    }
    upgrade_kmod

  3. Run the following command to restart the VM where the worker node resides:

    reboot