CVE-2019-11478
First published: Tue Jun 11 2019(Updated: )
An excessive resource consumption flaw was found in the way the Linux kernel's networking subsystem processed TCP Selective Acknowledgment (SACK) segments. While processing SACK segments, the Linux kernel's socket buffer (SKB) data structure becomes fragmented, which leads to increased resource utilization to traverse and process these fragments as further SACK segments are received on the same TCP connection. A remote attacker could use this flaw to cause a denial of service (DoS) by sending a crafted sequence of SACK segments on a TCP connection.
Credit: security@ubuntu.com security@ubuntu.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/kernel | <0:2.6.32-754.15.3.el6 | 0:2.6.32-754.15.3.el6 |
| redhat/kernel | <0:2.6.32-431.95.3.el6 | 0:2.6.32-431.95.3.el6 |
| redhat/kernel | <0:2.6.32-504.79.3.el6 | 0:2.6.32-504.79.3.el6 |
| redhat/kernel-rt | <0:3.10.0-957.21.3.rt56.935.el7 | 0:3.10.0-957.21.3.rt56.935.el7 |
| redhat/kernel | <0:3.10.0-957.21.3.el7 | 0:3.10.0-957.21.3.el7 |
| redhat/kernel-alt | <0:4.14.0-115.8.2.el7a | 0:4.14.0-115.8.2.el7a |
| redhat/kernel | <0:3.10.0-327.79.2.el7 | 0:3.10.0-327.79.2.el7 |
| redhat/kernel | <0:3.10.0-514.66.2.el7 | 0:3.10.0-514.66.2.el7 |
| redhat/kernel | <0:3.10.0-693.50.3.el7 | 0:3.10.0-693.50.3.el7 |
| redhat/kernel | <0:3.10.0-862.34.2.el7 | 0:3.10.0-862.34.2.el7 |
| redhat/kernel-rt | <0:4.18.0-80.4.2.rt9.152.el8_0 | 0:4.18.0-80.4.2.rt9.152.el8_0 |
| redhat/kernel | <0:4.18.0-80.4.2.el8_0 | 0:4.18.0-80.4.2.el8_0 |
| redhat/kernel-rt | <1:3.10.0-693.50.3.rt56.644.el6 | 1:3.10.0-693.50.3.rt56.644.el6 |
| redhat/redhat-release-virtualization-host | <0:4.2-11.1.el7 | 0:4.2-11.1.el7 |
| redhat/redhat-virtualization-host | <0:4.2-20190618.0.el7_6 | 0:4.2-20190618.0.el7_6 |
| redhat/redhat-release-virtualization-host | <0:4.3.4-1.el7e | 0:4.3.4-1.el7e |
| redhat/redhat-virtualization-host | <0:4.3.4-20190620.3.el7_6 | 0:4.3.4-20190620.3.el7_6 |
| debian/linux | 4.19.249-2 4.19.289-2 5.10.197-1 5.10.191-1 6.1.66-1 6.1.52-1 6.5.13-1 6.6.8-1 | |
| Linux Linux kernel | <4.4.182 | |
| Linux Linux kernel | >=4.5<4.9.182 | |
| Linux Linux kernel | >=4.10<4.14.127 | |
| Linux Linux kernel | >=4.15<4.19.52 | |
| Linux Linux kernel | >=4.20<5.1.11 | |
| F5 BIG-IP Advanced Firewall Manager | >=11.5.2<=11.6.4 | |
| F5 BIG-IP Advanced Firewall Manager | >=12.1.0<=12.1.4 | |
| F5 BIG-IP Advanced Firewall Manager | >=13.1.0<=13.1.1 | |
| F5 BIG-IP Advanced Firewall Manager | >=14.0.0<=14.1.0 | |
| F5 BIG-IP Advanced Firewall Manager | =15.0.0 | |
| F5 BIG-IP Access Policy Manager | >=11.5.2<=11.6.4 | |
| F5 BIG-IP Access Policy Manager | >=12.1.0<=12.1.4 | |
| F5 BIG-IP Access Policy Manager | >=13.1.0<=13.1.1 | |
| F5 BIG-IP Access Policy Manager | >=14.0.0<=14.1.0 | |
| F5 BIG-IP Access Policy Manager | =15.0.0 | |
| F5 Big-ip Application Acceleration Manager | >=11.5.2<=11.6.4 | |
| F5 Big-ip Application Acceleration Manager | >=12.1.0<=12.1.4 | |
| F5 Big-ip Application Acceleration Manager | >=13.1.0<=13.1.1 | |
| F5 Big-ip Application Acceleration Manager | >=14.0.0<=14.1.0 | |
| F5 Big-ip Application Acceleration Manager | =15.0.0 | |
| F5 Big-ip Link Controller | >=11.5.2<=11.6.4 | |
| F5 Big-ip Link Controller | >=12.1.0<=12.1.4 | |
| F5 Big-ip Link Controller | >=13.1.0<=13.1.1 | |
| F5 Big-ip Link Controller | >=14.0.0<=14.1.0 | |
| F5 Big-ip Link Controller | =15.0.0 | |
| F5 Big-ip Policy Enforcement Manager | >=11.5.2<=11.6.4 | |
| F5 Big-ip Policy Enforcement Manager | >=12.1.0<=12.1.4 | |
| F5 Big-ip Policy Enforcement Manager | >=13.1.0<=13.1.1 | |
| F5 Big-ip Policy Enforcement Manager | >=14.0.0<=14.1.0 | |
| F5 Big-ip Policy Enforcement Manager | =15.0.0 | |
| F5 Big-ip Webaccelerator | >=11.5.2<=11.6.4 | |
| F5 Big-ip Webaccelerator | >=12.1.0<=12.1.4 | |
| F5 Big-ip Webaccelerator | >=13.1.0<=13.1.1 | |
| F5 Big-ip Webaccelerator | >=14.0.0<=14.1.0 | |
| F5 Big-ip Webaccelerator | =15.0.0 | |
| F5 BIG-IP Application Security Manager | >=11.5.2<=11.6.4 | |
| F5 BIG-IP Application Security Manager | >=12.1.0<=12.1.4 | |
| F5 BIG-IP Application Security Manager | >=13.1.0<=13.1.1 | |
| F5 BIG-IP Application Security Manager | >=14.0.0<=14.1.0 | |
| F5 BIG-IP Application Security Manager | =15.0.0 | |
| F5 Big-ip Local Traffic Manager | >=11.5.2<=11.6.4 | |
| F5 Big-ip Local Traffic Manager | >=12.1.0<=12.1.4 | |
| F5 Big-ip Local Traffic Manager | >=13.1.0<=13.1.1 | |
| F5 Big-ip Local Traffic Manager | >=14.0.0<=14.1.0 | |
| F5 Big-ip Local Traffic Manager | =15.0.0 | |
| F5 Big-ip Fraud Protection Service | >=11.5.2<=11.6.4 | |
| F5 Big-ip Fraud Protection Service | >=12.1.0<=12.1.4 | |
| F5 Big-ip Fraud Protection Service | >=13.1.0<=13.1.1 | |
| F5 Big-ip Fraud Protection Service | >=14.0.0<=14.1.0 | |
| F5 Big-ip Fraud Protection Service | =15.0.0 | |
| F5 Big-ip Global Traffic Manager | >=11.5.2<=11.6.4 | |
| F5 Big-ip Global Traffic Manager | >=12.1.0<=12.1.4 | |
| F5 Big-ip Global Traffic Manager | >=13.1.0<=13.1.1 | |
| F5 Big-ip Global Traffic Manager | >=14.0.0<=14.1.0 | |
| F5 Big-ip Global Traffic Manager | =15.0.0 | |
| F5 BIG-IP Analytics | >=11.5.2<=11.6.4 | |
| F5 BIG-IP Analytics | >=12.1.0<=12.1.4 | |
| F5 BIG-IP Analytics | >=13.1.0<=13.1.1 | |
| F5 BIG-IP Analytics | >=14.0.0<=14.1.0 | |
| F5 BIG-IP Analytics | =15.0.0 | |
| F5 Big-ip Edge Gateway | >=11.5.2<=11.6.4 | |
| F5 Big-ip Edge Gateway | >=12.1.0<=12.1.4 | |
| F5 Big-ip Edge Gateway | >=13.1.0<=13.1.1 | |
| F5 Big-ip Edge Gateway | >=14.0.0<=14.1.0 | |
| F5 Big-ip Edge Gateway | =15.0.0 | |
| F5 Big-ip Domain Name System | >=11.5.2<=11.6.4 | |
| F5 Big-ip Domain Name System | >=12.1.0<=12.1.4 | |
| F5 Big-ip Domain Name System | >=13.1.0<=13.1.1 | |
| F5 Big-ip Domain Name System | >=14.0.0<=14.1.0 | |
| F5 Big-ip Domain Name System | =15.0.0 | |
| Canonical Ubuntu Linux | =12.04 | |
| Canonical Ubuntu Linux | =14.04 | |
| Canonical Ubuntu Linux | =16.04 | |
| Canonical Ubuntu Linux | =18.04 | |
| Canonical Ubuntu Linux | =18.10 | |
| Canonical Ubuntu Linux | =19.04 | |
| Redhat Enterprise Linux Atomic Host | ||
| Redhat Enterprise Linux | =5.0 | |
| Redhat Enterprise Linux | =6.0 | |
| Redhat Enterprise Linux | =7.0 | |
| Redhat Enterprise Linux | =8.0 | |
| Redhat Enterprise Linux Aus | =6.5 | |
| Redhat Enterprise Linux Aus | =6.6 | |
| Redhat Enterprise Linux Eus | =7.4 | |
| Redhat Enterprise Linux Eus | =7.5 | |
| Redhat Enterprise Mrg | =2.0 | |
| Ivanti Connect Secure | ||
| Pulsesecure Pulse Policy Secure | ||
| Pulsesecure Pulse Secure Virtual Application Delivery Controller | ||
| F5 Traffix Signaling Delivery Controller | >=5.0.0<=5.1.0 | |
| Pulsesecure Pulse Connect Secure |
Remedy
For mitigation, please refer to the Red Hat Knowledgebase article: https://access.redhat.com/security/vulnerabilities/tcpsack
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://packetstormsecurity.com/files/153346/Kernel-Live-Patch-Security-Notice-LSN-0052-1.html
- http://packetstormsecurity.com/files/154408/Kernel-Live-Patch-Security-Notice-LSN-0055-1.html
- http://packetstormsecurity.com/files/154951/Kernel-Live-Patch-Security-Notice-LSN-0058-1.html
- http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2020-010.txt
- http://www.openwall.com/lists/oss-security/2019/06/28/2
- http://www.openwall.com/lists/oss-security/2019/07/06/3
- http://www.openwall.com/lists/oss-security/2019/07/06/4
- http://www.openwall.com/lists/oss-security/2019/10/24/1
- http://www.openwall.com/lists/oss-security/2019/10/29/3
- http://www.vmware.com/security/advisories/VMSA-2019-0010.html
- https://access.redhat.com/errata/RHSA-2019:1594
- https://access.redhat.com/errata/RHSA-2019:1602
- https://access.redhat.com/errata/RHSA-2019:1699
- https://access.redhat.com/security/vulnerabilities/tcpsack
- https://cert-portal.siemens.com/productcert/pdf/ssa-462066.pdf
- https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/commit/?id=f070ef2ac66716357066b683fb0baf55f8191a2e
- https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md
- https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44193
- https://kc.mcafee.com/corporate/index?page=content&id=SB10287
- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2019-0007
- https://seclists.org/bugtraq/2019/Jul/30
- https://security.netapp.com/advisory/ntap-20190625-0001/
- https://support.f5.com/csp/article/K26618426
- https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SACKPanic
- https://www.kb.cert.org/vuls/id/905115
- https://www.oracle.com/security-alerts/cpujan2020.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.synology.com/security/advisory/Synology_SA_19_28
- https://www.us-cert.gov/ics/advisories/icsa-19-253-03
- https://www.ietf.org/rfc/rfc2018.txt
- http://vger.kernel.org/~davem/skb_data.html
- https://access.redhat.com/support/policy/updates/errata/
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1721256
- https://www.openwall.com/lists/oss-security/2019/06/17/5
- https://patchwork.ozlabs.org/project/netdev/list/?series=114310
- https://access.redhat.com/errata/RHSA-2019:1479
- https://access.redhat.com/errata/RHSA-2019:1488
- https://access.redhat.com/errata/RHSA-2019:1481
- https://access.redhat.com/errata/RHSA-2019:1482
- https://access.redhat.com/errata/RHSA-2019:1483
- https://access.redhat.com/errata/RHSA-2019:1489
- https://access.redhat.com/errata/RHSA-2019:1490
- https://access.redhat.com/errata/RHSA-2019:1485
- https://access.redhat.com/errata/RHSA-2019:1484
- https://access.redhat.com/errata/RHSA-2019:1480
- https://access.redhat.com/errata/RHSA-2019:1487
- https://access.redhat.com/errata/RHSA-2019:1486
- https://access.redhat.com/errata/RHBA-2019:1589
- https://access.redhat.com/security/cve/cve-2019-11478
- https://bugzilla.redhat.com/show_bug.cgi?id=1719128
- https://www.cve.org/CVERecord?id=CVE-2019-11478 https://nvd.nist.gov/vuln/detail/CVE-2019-11478 https://patchwork.ozlabs.org/project/netdev/list/?series=114310 https://www.openwall.com/lists/oss-security/2019/06/17/5
- https://security-tracker.debian.org/tracker/CVE-2019-11478
Parent vulnerabilities
(Appears in the following advisories)
- collector/redhat-cve
- collector/security-tracker-debian
- agent/author
- agent/type
- agent/first-publish-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2019-11478
- agent/weakness
- agent/severity
- agent/references
- agent/remedy
- agent/event
- agent/last-modified-date
- agent/softwarecombine
- agent/tags
- agent/description
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- collector/nvd-index
- package-manager/redhat
- package-manager/debian
- vendor/linux
- canonical/linux linux kernel
- version/linux linux kernel/4.5
- version/linux linux kernel/4.10
- version/linux linux kernel/4.15
- version/linux linux kernel/4.20
- vendor/f5
- canonical/f5 big-ip advanced firewall manager
- version/f5 big-ip advanced firewall manager/11.5.2
- version/f5 big-ip advanced firewall manager/11.6.4
- version/f5 big-ip advanced firewall manager/12.1.0
- version/f5 big-ip advanced firewall manager/12.1.4
- version/f5 big-ip advanced firewall manager/13.1.0
- version/f5 big-ip advanced firewall manager/13.1.1
- version/f5 big-ip advanced firewall manager/14.0.0
- version/f5 big-ip advanced firewall manager/14.1.0
- version/f5 big-ip advanced firewall manager/15.0.0
- canonical/f5 big-ip access policy manager
- version/f5 big-ip access policy manager/11.5.2
- version/f5 big-ip access policy manager/11.6.4
- version/f5 big-ip access policy manager/12.1.0
- version/f5 big-ip access policy manager/12.1.4
- version/f5 big-ip access policy manager/13.1.0
- version/f5 big-ip access policy manager/13.1.1
- version/f5 big-ip access policy manager/14.0.0
- version/f5 big-ip access policy manager/14.1.0
- version/f5 big-ip access policy manager/15.0.0
- canonical/f5 big-ip application acceleration manager
- version/f5 big-ip application acceleration manager/11.5.2
- version/f5 big-ip application acceleration manager/11.6.4
- version/f5 big-ip application acceleration manager/12.1.0
- version/f5 big-ip application acceleration manager/12.1.4
- version/f5 big-ip application acceleration manager/13.1.0
- version/f5 big-ip application acceleration manager/13.1.1
- version/f5 big-ip application acceleration manager/14.0.0
- version/f5 big-ip application acceleration manager/14.1.0
- version/f5 big-ip application acceleration manager/15.0.0
- canonical/f5 big-ip link controller
- version/f5 big-ip link controller/11.5.2
- version/f5 big-ip link controller/11.6.4
- version/f5 big-ip link controller/12.1.0
- version/f5 big-ip link controller/12.1.4
- version/f5 big-ip link controller/13.1.0
- version/f5 big-ip link controller/13.1.1
- version/f5 big-ip link controller/14.0.0
- version/f5 big-ip link controller/14.1.0
- version/f5 big-ip link controller/15.0.0
- canonical/f5 big-ip policy enforcement manager
- version/f5 big-ip policy enforcement manager/11.5.2
- version/f5 big-ip policy enforcement manager/11.6.4
- version/f5 big-ip policy enforcement manager/12.1.0
- version/f5 big-ip policy enforcement manager/12.1.4
- version/f5 big-ip policy enforcement manager/13.1.0
- version/f5 big-ip policy enforcement manager/13.1.1
- version/f5 big-ip policy enforcement manager/14.0.0
- version/f5 big-ip policy enforcement manager/14.1.0
- version/f5 big-ip policy enforcement manager/15.0.0
- canonical/f5 big-ip webaccelerator
- version/f5 big-ip webaccelerator/11.5.2
- version/f5 big-ip webaccelerator/11.6.4
- version/f5 big-ip webaccelerator/12.1.0
- version/f5 big-ip webaccelerator/12.1.4
- version/f5 big-ip webaccelerator/13.1.0
- version/f5 big-ip webaccelerator/13.1.1
- version/f5 big-ip webaccelerator/14.0.0
- version/f5 big-ip webaccelerator/14.1.0
- version/f5 big-ip webaccelerator/15.0.0
- canonical/f5 big-ip application security manager
- version/f5 big-ip application security manager/11.5.2
- version/f5 big-ip application security manager/11.6.4
- version/f5 big-ip application security manager/12.1.0
- version/f5 big-ip application security manager/12.1.4
- version/f5 big-ip application security manager/13.1.0
- version/f5 big-ip application security manager/13.1.1
- version/f5 big-ip application security manager/14.0.0
- version/f5 big-ip application security manager/14.1.0
- version/f5 big-ip application security manager/15.0.0
- canonical/f5 big-ip local traffic manager
- version/f5 big-ip local traffic manager/11.5.2
- version/f5 big-ip local traffic manager/11.6.4
- version/f5 big-ip local traffic manager/12.1.0
- version/f5 big-ip local traffic manager/12.1.4
- version/f5 big-ip local traffic manager/13.1.0
- version/f5 big-ip local traffic manager/13.1.1
- version/f5 big-ip local traffic manager/14.0.0
- version/f5 big-ip local traffic manager/14.1.0
- version/f5 big-ip local traffic manager/15.0.0
- canonical/f5 big-ip fraud protection service
- version/f5 big-ip fraud protection service/11.5.2
- version/f5 big-ip fraud protection service/11.6.4
- version/f5 big-ip fraud protection service/12.1.0
- version/f5 big-ip fraud protection service/12.1.4
- version/f5 big-ip fraud protection service/13.1.0
- version/f5 big-ip fraud protection service/13.1.1
- version/f5 big-ip fraud protection service/14.0.0
- version/f5 big-ip fraud protection service/14.1.0
- version/f5 big-ip fraud protection service/15.0.0
- canonical/f5 big-ip global traffic manager
- version/f5 big-ip global traffic manager/11.5.2
- version/f5 big-ip global traffic manager/11.6.4
- version/f5 big-ip global traffic manager/12.1.0
- version/f5 big-ip global traffic manager/12.1.4
- version/f5 big-ip global traffic manager/13.1.0
- version/f5 big-ip global traffic manager/13.1.1
- version/f5 big-ip global traffic manager/14.0.0
- version/f5 big-ip global traffic manager/14.1.0
- version/f5 big-ip global traffic manager/15.0.0
- canonical/f5 big-ip analytics
- version/f5 big-ip analytics/11.5.2
- version/f5 big-ip analytics/11.6.4
- version/f5 big-ip analytics/12.1.0
- version/f5 big-ip analytics/12.1.4
- version/f5 big-ip analytics/13.1.0
- version/f5 big-ip analytics/13.1.1
- version/f5 big-ip analytics/14.0.0
- version/f5 big-ip analytics/14.1.0
- version/f5 big-ip analytics/15.0.0
- canonical/f5 big-ip edge gateway
- version/f5 big-ip edge gateway/11.5.2
- version/f5 big-ip edge gateway/11.6.4
- version/f5 big-ip edge gateway/12.1.0
- version/f5 big-ip edge gateway/12.1.4
- version/f5 big-ip edge gateway/13.1.0
- version/f5 big-ip edge gateway/13.1.1
- version/f5 big-ip edge gateway/14.0.0
- version/f5 big-ip edge gateway/14.1.0
- version/f5 big-ip edge gateway/15.0.0
- canonical/f5 big-ip domain name system
- version/f5 big-ip domain name system/11.5.2
- version/f5 big-ip domain name system/11.6.4
- version/f5 big-ip domain name system/12.1.0
- version/f5 big-ip domain name system/12.1.4
- version/f5 big-ip domain name system/13.1.0
- version/f5 big-ip domain name system/13.1.1
- version/f5 big-ip domain name system/14.0.0
- version/f5 big-ip domain name system/14.1.0
- version/f5 big-ip domain name system/15.0.0
- vendor/canonical
- canonical/canonical ubuntu linux
- version/canonical ubuntu linux/12.04
- version/canonical ubuntu linux/14.04
- version/canonical ubuntu linux/16.04
- version/canonical ubuntu linux/18.04
- version/canonical ubuntu linux/18.10
- version/canonical ubuntu linux/19.04
- vendor/redhat
- canonical/redhat enterprise linux atomic host
- canonical/redhat enterprise linux
- version/redhat enterprise linux/5.0
- version/redhat enterprise linux/6.0
- version/redhat enterprise linux/7.0
- version/redhat enterprise linux/8.0
- canonical/redhat enterprise linux aus
- version/redhat enterprise linux aus/6.5
- version/redhat enterprise linux aus/6.6
- canonical/redhat enterprise linux eus
- version/redhat enterprise linux eus/7.4
- version/redhat enterprise linux eus/7.5
- canonical/redhat enterprise mrg
- version/redhat enterprise mrg/2.0
- vendor/ivanti
- canonical/ivanti connect secure
- vendor/pulsesecure
- canonical/pulsesecure pulse policy secure
- canonical/pulsesecure pulse secure virtual application delivery controller
- canonical/f5 traffix signaling delivery controller
- version/f5 traffix signaling delivery controller/5.0.0
- version/f5 traffix signaling delivery controller/5.1.0
- canonical/pulsesecure pulse connect secure