An excessive resource consumption issue was found in the way Linux kernel processes TCP segments. If Maximum Segment Size(MSS) of a TCP connection was set to its lowest value of 48 bytes, it leaves merely 8 bytes for the user data. It significantly increases Linux kernel's resource (CPU/Memory/Bandwidth etc.) utilisation leading to a DoS like scenario. A remote attacker could use this flaw to cause DoS by repeatedly sending network traffic on a TCP connection with lowest value for TCP MSS. Upstream patch: --------------- -> https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/commit/?id=967c05aee439e6e5d7d805e195b3a20ef5c433d6
Acknowledgments: Name: Jonathan Looney (Netflix Information Security)
Mitigation: For mitigation, please refer to the Red Hat Knowledgebase article: https://access.redhat.com/security/vulnerabilities/tcpsack
Note: This issue has been rated as having Moderate impact because the denial of service effect is caused by excessive resource(CPU/Memory/Bandwidth etc.) consumption by the offending TCP connections and thus temporary. It leaves lesser resources for the other processes and connections on the system. This resource crunch lasts as long as the offending TCP connections are alive with incoming network traffic. It does not completely halt the system. Network monitoring system(s) would likely raise alerts/alarms for such incoming network traffic. So an administrator should be able to take due measures to thwart offending TCP connections and pertaining network traffic to control the impact of the DoS on affected systems.
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1721255]
External References: https://www.openwall.com/lists/oss-security/2019/06/17/5 https://patchwork.ozlabs.org/project/netdev/list/?series=114310
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:1479 https://access.redhat.com/errata/RHSA-2019:1479
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2019:1488 https://access.redhat.com/errata/RHSA-2019:1488
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:1481 https://access.redhat.com/errata/RHSA-2019:1481
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.5 Extended Update Support Via RHSA-2019:1482 https://access.redhat.com/errata/RHSA-2019:1482
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.4 Extended Update Support Via RHSA-2019:1483 https://access.redhat.com/errata/RHSA-2019:1483
This issue has been addressed in the following products: Red Hat Enterprise Linux 6.6 Advanced Update Support Via RHSA-2019:1489 https://access.redhat.com/errata/RHSA-2019:1489
This issue has been addressed in the following products: Red Hat Enterprise Linux 6.5 Advanced Update Support Via RHSA-2019:1490 https://access.redhat.com/errata/RHSA-2019:1490
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.2 Advanced Update Support Red Hat Enterprise Linux 7.2 Update Services for SAP Solutions Red Hat Enterprise Linux 7.2 Telco Extended Update Support Via RHSA-2019:1485 https://access.redhat.com/errata/RHSA-2019:1485
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.3 Advanced Update Support Red Hat Enterprise Linux 7.3 Update Services for SAP Solutions Red Hat Enterprise Linux 7.3 Telco Extended Update Support Via RHSA-2019:1484 https://access.redhat.com/errata/RHSA-2019:1484
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:1480 https://access.redhat.com/errata/RHSA-2019:1480
This issue has been addressed in the following products: Red Hat Enterprise MRG 2 Via RHSA-2019:1487 https://access.redhat.com/errata/RHSA-2019:1487
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:1486 https://access.redhat.com/errata/RHSA-2019:1486
This issue has been addressed in the following products: Red Hat Virtualization 4.2 for Red Hat Enterprise Linux 7.6 EUS Via RHSA-2019:1594 https://access.redhat.com/errata/RHSA-2019:1594
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:1602 https://access.redhat.com/errata/RHSA-2019:1602
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4 (RH CoreOS) Via RHBA-2019:1589 https://access.redhat.com/errata/RHBA-2019:1589
This issue has been addressed in the following products: Red Hat Virtualization 4 for Red Hat Enterprise Linux 7 Via RHSA-2019:1699 https://access.redhat.com/errata/RHSA-2019:1699
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-11479
Statement: Red Hat Product Security is aware of this issue. Updates will be released as they become available. For additional information, please refer to the Red Hat Knowledgebase article: https://access.redhat.com/security/vulnerabilities/tcpsack Red Hat Enterprise Linux 5 is now in the Extended Life Phase of maintenance life cycle. This has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.
OpenShift Container Platform 4 does not ship its own kernel package, instead using versions shipped in RHEL. Removing from flaw bug affects.