An excessive resource(CPU/Memory etc.) consumption issue was found in the way Linux kernel processes TCP Selective Acknowledgement(SACK) segments. While processing SACK segments, Linux kernel's socket buffer(SBK) data structure becomes fragmented. SKB is also used as retransmission queue. This fragmentation leads to increased resource utilisation to traverse and process these fragments, as further SACK segments are received on the same TCP connection. A remote attacker could use this flaw to cause a DoS by sending a crafted sequence of SACK segments on a TCP connection. Upstream patch: --------------- -> https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/commit/?id=f070ef2ac66716357066b683fb0baf55f8191a2e Reference: ---------- -> https://www.ietf.org/rfc/rfc2018.txt -> http://vger.kernel.org/~davem/skb_data.html
Acknowledgments: Name: Jonathan Looney (Netflix Information Security)
Statement: Red Hat Product Security is aware of this issue. Updates will be released as they become available. For additional information, please refer to the Red Hat Knowledgebase article: https://access.redhat.com/security/vulnerabilities/tcpsack Red Hat Enterprise Linux 5 is now in Maintenance Support 2 Phase of maintenance life cycle. This has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.
Mitigation: For mitigation, please refer to the Red Hat Knowledgebase article: https://access.redhat.com/security/vulnerabilities/tcpsack
Note: This issue has been rated as having Moderate impact because the denial of service effect is caused by excessive resource(CPU/Memory/Bandwidth etc.) consumption by the offending TCP connections and thus temporary. It leaves lesser resources for the other processes and connections on the system. This resource crunch lasts as long as the offending TCP connections are alive with incoming network traffic. It does not completely halt the system. Network monitoring system(s) would likely raise alerts/alarms for such incoming network traffic. So an administrator should be able to take due measures to thwart offending TCP connections and pertaining network traffic to control the impact of the DoS on affected systems.
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1721256]
External References: https://www.openwall.com/lists/oss-security/2019/06/17/5 https://patchwork.ozlabs.org/project/netdev/list/?series=114310
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:1479 https://access.redhat.com/errata/RHSA-2019:1479
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2019:1488 https://access.redhat.com/errata/RHSA-2019:1488
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:1481 https://access.redhat.com/errata/RHSA-2019:1481
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.5 Extended Update Support Via RHSA-2019:1482 https://access.redhat.com/errata/RHSA-2019:1482
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.4 Extended Update Support Via RHSA-2019:1483 https://access.redhat.com/errata/RHSA-2019:1483
This issue has been addressed in the following products: Red Hat Enterprise Linux 6.6 Advanced Update Support Via RHSA-2019:1489 https://access.redhat.com/errata/RHSA-2019:1489
This issue has been addressed in the following products: Red Hat Enterprise Linux 6.5 Advanced Update Support Via RHSA-2019:1490 https://access.redhat.com/errata/RHSA-2019:1490
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.2 Advanced Update Support Red Hat Enterprise Linux 7.2 Update Services for SAP Solutions Red Hat Enterprise Linux 7.2 Telco Extended Update Support Via RHSA-2019:1485 https://access.redhat.com/errata/RHSA-2019:1485
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.3 Advanced Update Support Red Hat Enterprise Linux 7.3 Update Services for SAP Solutions Red Hat Enterprise Linux 7.3 Telco Extended Update Support Via RHSA-2019:1484 https://access.redhat.com/errata/RHSA-2019:1484
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:1480 https://access.redhat.com/errata/RHSA-2019:1480
This issue has been addressed in the following products: Red Hat Enterprise MRG 2 Via RHSA-2019:1487 https://access.redhat.com/errata/RHSA-2019:1487
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:1486 https://access.redhat.com/errata/RHSA-2019:1486
This issue has been addressed in the following products: Red Hat Virtualization 4.2 for Red Hat Enterprise Linux 7.6 EUS Via RHSA-2019:1594 https://access.redhat.com/errata/RHSA-2019:1594
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:1602 https://access.redhat.com/errata/RHSA-2019:1602
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4 (RH CoreOS) Via RHBA-2019:1589 https://access.redhat.com/errata/RHBA-2019:1589
This issue has been addressed in the following products: Red Hat Virtualization 4 for Red Hat Enterprise Linux 7 Via RHSA-2019:1699 https://access.redhat.com/errata/RHSA-2019:1699
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-11478
OpenShift Container Platform 4 does not ship its own kernel package, instead using versions shipped in RHEL. Removing from flaw bug affects.