To implement the workaround for CVE-2019-11477 and CVE-2019-11478 perform the following steps:
- Disable selective acknowledgments system wide for all newly established TCP connections. SSH into each appliance and execute the follow command:
# echo 0 > /proc/sys/net/ipv4/tcp_sack
Note: This option will disable selective acknowledgements but will likely increase the bandwidth required to correctly complete streams when errors occur.
- Make this option persist across reboots. In each appliance, create a file in /etc/sysctl.d/ such as /etc/sysctl.d/99-tcpsack.conf - with content:
# CVE-2019-11477 & CVE-2019-11478
net.ipv4.tcp_sack=0
To confirm that the workaround for CVE-2019-11477 and CVE-2019-11478 has been correctly applied perform the following steps:
- SSH into each appliance and enter the following command:
#cat /proc/sys/net/ipv4/tcp_sack
or
#sysctl -a | grep tcp_sack
Note: A value of 0’ indicates tcp_sack is disabled and that the workaround is enabled.
- To confirm that the workaround persists across reboots, restart each appliance and repeat the step above.
To remove the workaround for CVE-2019-11477 and CVE-2019-11478 at a later time, perform the following steps:
- Re-enable selective acknowledgments system wide for all newly established TCP connections. Ssh into each appliance and execute the following command:
# echo 1 > /proc/sys/net/ipv4/tcp_sack
- In each appliance, delete the file /etc/sysctl.d/99-tcpsack.conf previously created in /etc/sysctl.d/
For up-to-date information on CVE-2019-11477 and CVE-2019-11478 as well as future security information please add your email address to the
Sign up for Security Advisories window found in
VMSA-2019-0010.