vCloud Director for Service Providers Appliance versions 9.5, 9.5.0.1, 9.5.0.2, 9.5.0.3, 9.7 and 9.7.0.1 Workaround for CVE-2019-11477 and CVE-2019-11478
Article ID: 343209
Updated On:
Products
VMware Cloud Director
Issue/Introduction
CVE-2019-11477 and CVE-2019-11478 have been determined to affect vCloud Director for Service Providers Appliance versions 9.5, 9.5.0.1, 9.5.0.2, 9.5.0.3, 9.7 and 9.7.0.1.
These vulnerabilities, their effect on VMware products, and VMware’s overall response is documented in VMSA-2019-0010. Please review this advisory before continuing as there may be considerations outside the scope of this particular document including permanent solutions.
The vCloud Director for Service Providers team has determined that the aforementioned issues can be mitigated by performing the steps detailed in the resolution section of this article. This workaround is meant to be a temporary solution only - permanent fixes will be released as soon as they are available.
These vulnerabilities, their effect on VMware products, and VMware’s overall response is documented in VMSA-2019-0010. Please review this advisory before continuing as there may be considerations outside the scope of this particular document including permanent solutions.
The vCloud Director for Service Providers team has determined that the aforementioned issues can be mitigated by performing the steps detailed in the resolution section of this article. This workaround is meant to be a temporary solution only - permanent fixes will be released as soon as they are available.
Environment
VMware Cloud Director for Service Provider 9.5.x
VMware Cloud Director for Service Provider 9.7.x
VMware Cloud Director for Service Provider 9.7.x
Resolution
To implement the workaround for CVE-2019-11477 and CVE-2019-11478 perform the following steps:
To confirm that the workaround for CVE-2019-11477 and CVE-2019-11478 has been correctly applied perform the following steps:
To remove the workaround for CVE-2019-11477 and CVE-2019-11478 at a later time, perform the following steps:
For up-to-date information on CVE-2019-11477 and CVE-2019-11478 as well as future security information please add your email address to the Sign up for Security Advisories window found in VMSA-2019-0010.
- Disable selective acknowledgments system wide for all newly established TCP connections. SSH into each appliance and execute the follow command:
# echo 0 > /proc/sys/net/ipv4/tcp_sack
Note: This option will disable selective acknowledgements but will likely increase the bandwidth required to correctly complete streams when errors occur.
Note: This option will disable selective acknowledgements but will likely increase the bandwidth required to correctly complete streams when errors occur.
- Make this option persist across reboots. In each appliance, create a file in /etc/sysctl.d/ such as /etc/sysctl.d/99-tcpsack.conf - with content:
# CVE-2019-11477 & CVE-2019-11478
net.ipv4.tcp_sack=0
net.ipv4.tcp_sack=0
To confirm that the workaround for CVE-2019-11477 and CVE-2019-11478 has been correctly applied perform the following steps:
- SSH into each appliance and enter the following command:
#cat /proc/sys/net/ipv4/tcp_sack
or
#sysctl -a | grep tcp_sack
or
#sysctl -a | grep tcp_sack
Note: A value of 0’ indicates tcp_sack is disabled and that the workaround is enabled.
- To confirm that the workaround persists across reboots, restart each appliance and repeat the step above.
To remove the workaround for CVE-2019-11477 and CVE-2019-11478 at a later time, perform the following steps:
- Re-enable selective acknowledgments system wide for all newly established TCP connections. Ssh into each appliance and execute the following command:
# echo 1 > /proc/sys/net/ipv4/tcp_sack
- In each appliance, delete the file /etc/sysctl.d/99-tcpsack.conf previously created in /etc/sysctl.d/
For up-to-date information on CVE-2019-11477 and CVE-2019-11478 as well as future security information please add your email address to the Sign up for Security Advisories window found in VMSA-2019-0010.
Additional Information
Impact/Risks:
Warning
This workaround is applicable ONLY to vCloud Director for Service Providers Appliance versions 9.5, 9.5.0.1, 9.5.0.2, 9.5.0.3, 9.7 and 9.7.0.1. Do not apply this workaround to other VMware products.
Functionality Impacts
This workaround will likely increase the bandwidth required to correctly complete TCP streams when errors occur. This is the only functionality impact known at this time.
Warning
This workaround is applicable ONLY to vCloud Director for Service Providers Appliance versions 9.5, 9.5.0.1, 9.5.0.2, 9.5.0.3, 9.7 and 9.7.0.1. Do not apply this workaround to other VMware products.
Functionality Impacts
This workaround will likely increase the bandwidth required to correctly complete TCP streams when errors occur. This is the only functionality impact known at this time.
Feedback
Yes
No
Powered by
