First published: Tue Jun 11 2019(Updated: )
An excessive resource consumption flaw was found in the way the Linux kernel's networking subsystem processed TCP segments. If the Maximum Segment Size (MSS) of a TCP connection was set to low values, such as 48 bytes, it can leave as little as 8 bytes for the user data, which significantly increases the Linux kernel's resource (CPU, Memory, and Bandwidth) utilization. A remote attacker could use this flaw to cause a denial of service (DoS) by repeatedly sending network traffic on a TCP connection with low TCP MSS.
Credit: security@ubuntu.com security@ubuntu.com security@ubuntu.com
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/kernel | <0:2.6.32-754.15.3.el6 | 0:2.6.32-754.15.3.el6 |
redhat/kernel | <0:2.6.32-431.95.3.el6 | 0:2.6.32-431.95.3.el6 |
redhat/kernel | <0:2.6.32-504.79.3.el6 | 0:2.6.32-504.79.3.el6 |
redhat/kernel-rt | <0:3.10.0-957.21.3.rt56.935.el7 | 0:3.10.0-957.21.3.rt56.935.el7 |
redhat/kernel | <0:3.10.0-957.21.3.el7 | 0:3.10.0-957.21.3.el7 |
redhat/kernel-alt | <0:4.14.0-115.8.2.el7a | 0:4.14.0-115.8.2.el7a |
redhat/kernel | <0:3.10.0-327.79.2.el7 | 0:3.10.0-327.79.2.el7 |
redhat/kernel | <0:3.10.0-514.66.2.el7 | 0:3.10.0-514.66.2.el7 |
redhat/kernel | <0:3.10.0-693.50.3.el7 | 0:3.10.0-693.50.3.el7 |
redhat/kernel | <0:3.10.0-862.34.2.el7 | 0:3.10.0-862.34.2.el7 |
redhat/kernel-rt | <0:4.18.0-80.4.2.rt9.152.el8_0 | 0:4.18.0-80.4.2.rt9.152.el8_0 |
redhat/kernel | <0:4.18.0-80.4.2.el8_0 | 0:4.18.0-80.4.2.el8_0 |
redhat/kernel-rt | <1:3.10.0-693.50.3.rt56.644.el6 | 1:3.10.0-693.50.3.rt56.644.el6 |
redhat/redhat-release-virtualization-host | <0:4.2-11.1.el7 | 0:4.2-11.1.el7 |
redhat/redhat-virtualization-host | <0:4.2-20190618.0.el7_6 | 0:4.2-20190618.0.el7_6 |
redhat/redhat-release-virtualization-host | <0:4.3.4-1.el7e | 0:4.3.4-1.el7e |
redhat/redhat-virtualization-host | <0:4.3.4-20190620.3.el7_6 | 0:4.3.4-20190620.3.el7_6 |
ubuntu/linux | <4.15.0-54.58 | 4.15.0-54.58 |
ubuntu/linux | <4.18.0-25.26 | 4.18.0-25.26 |
ubuntu/linux | <5.0.0-20.21 | 5.0.0-20.21 |
ubuntu/linux | <5.2~ | 5.2~ |
ubuntu/linux | <4.4.0-154.181 | 4.4.0-154.181 |
ubuntu/linux-flo | <5.2~ | 5.2~ |
ubuntu/linux-aws | <4.15.0-1043.45 | 4.15.0-1043.45 |
ubuntu/linux-aws | <4.18.0-1020.24 | 4.18.0-1020.24 |
ubuntu/linux-aws | <5.0.0-1010.11 | 5.0.0-1010.11 |
ubuntu/linux-aws | <5.2~ | 5.2~ |
ubuntu/linux-aws | <4.4.0-1087.98 | 4.4.0-1087.98 |
ubuntu/linux-azure | <4.18.0-1023.24~18.04.1 | 4.18.0-1023.24~18.04.1 |
ubuntu/linux-azure | <4.18.0-1023.24 | 4.18.0-1023.24 |
ubuntu/linux-azure | <5.0.0-1010.10 | 5.0.0-1010.10 |
ubuntu/linux-azure | <5.2~ | 5.2~ |
ubuntu/linux-azure | <4.15.0-1049.54 | 4.15.0-1049.54 |
ubuntu/linux-aws-hwe | <5.2~ | 5.2~ |
ubuntu/linux-aws-hwe | <4.15.0-1043.45~16.04.1 | 4.15.0-1043.45~16.04.1 |
ubuntu/linux-gcp-edge | <4.18.0-1015.16~18.04.1 | 4.18.0-1015.16~18.04.1 |
ubuntu/linux-gcp-edge | <5.2~ | 5.2~ |
ubuntu/linux-azure-edge | <4.18.0-1023.24~18.04.1 | 4.18.0-1023.24~18.04.1 |
ubuntu/linux-azure-edge | <5.2~ | 5.2~ |
ubuntu/linux-azure-edge | <4.15.0-1049.54 | 4.15.0-1049.54 |
ubuntu/linux-euclid | <5.2~ | 5.2~ |
ubuntu/linux-gcp | <4.15.0-1036.38 | 4.15.0-1036.38 |
ubuntu/linux-gcp | <4.18.0-1015.16 | 4.18.0-1015.16 |
ubuntu/linux-gcp | <5.0.0-1010.10 | 5.0.0-1010.10 |
ubuntu/linux-gcp | <5.2~ | 5.2~ |
ubuntu/linux-gcp | <4.15.0-1036.38~16.04.1 | 4.15.0-1036.38~16.04.1 |
ubuntu/linux-gke | <5.2~ | 5.2~ |
ubuntu/linux-gke-4.15 | <4.15.0-1036.38 | 4.15.0-1036.38 |
ubuntu/linux-gke-4.15 | <5.2~ | 5.2~ |
ubuntu/linux-gke-5.0 | <5.2~ | 5.2~ |
ubuntu/linux-goldfish | <5.2~ | 5.2~ |
ubuntu/linux-grouper | <5.2~ | 5.2~ |
ubuntu/linux-hwe | <4.18.0-25.26~18.04.1 | 4.18.0-25.26~18.04.1 |
ubuntu/linux-hwe | <5.2~ | 5.2~ |
ubuntu/linux-hwe | <4.15.0-54.58~16.04.1 | 4.15.0-54.58~16.04.1 |
ubuntu/linux-hwe-edge | <5.0.0-20.21~18.04.1 | 5.0.0-20.21~18.04.1 |
ubuntu/linux-hwe-edge | <5.2~ | 5.2~ |
ubuntu/linux-hwe-edge | <4.15.0-54.58~16.04.1 | 4.15.0-54.58~16.04.1 |
ubuntu/linux-kvm | <4.15.0-1038.38 | 4.15.0-1038.38 |
ubuntu/linux-kvm | <4.18.0-1016.17 | 4.18.0-1016.17 |
ubuntu/linux-kvm | <5.0.0-1010.11 | 5.0.0-1010.11 |
ubuntu/linux-kvm | <5.2~ | 5.2~ |
ubuntu/linux-kvm | <4.4.0-1051.58 | 4.4.0-1051.58 |
ubuntu/linux-lts-trusty | <5.2~ | 5.2~ |
ubuntu/linux-lts-utopic | <5.2~ | 5.2~ |
ubuntu/linux-lts-vivid | <5.2~ | 5.2~ |
ubuntu/linux-lts-wily | <5.2~ | 5.2~ |
ubuntu/linux-lts-xenial | <5.2~ | 5.2~ |
ubuntu/linux-maguro | <5.2~ | 5.2~ |
ubuntu/linux-mako | <5.2~ | 5.2~ |
ubuntu/linux-manta | <5.2~ | 5.2~ |
ubuntu/linux-oem | <4.15.0-1045.50 | 4.15.0-1045.50 |
ubuntu/linux-oem | <4.15.0-1045.50 | 4.15.0-1045.50 |
ubuntu/linux-oem | <5.2~ | 5.2~ |
ubuntu/linux-oracle | <4.15.0-1017.19 | 4.15.0-1017.19 |
ubuntu/linux-oracle | <4.15.0-1017.19 | 4.15.0-1017.19 |
ubuntu/linux-oracle | <5.2~ | 5.2~ |
ubuntu/linux-oracle | <4.15.0-1017.19~16.04.2 | 4.15.0-1017.19~16.04.2 |
ubuntu/linux-raspi2 | <4.15.0-1040.43 | 4.15.0-1040.43 |
ubuntu/linux-raspi2 | <4.18.0-1018.21 | 4.18.0-1018.21 |
ubuntu/linux-raspi2 | <5.0.0-1012.12 | 5.0.0-1012.12 |
ubuntu/linux-raspi2 | <5.2~ | 5.2~ |
ubuntu/linux-raspi2 | <4.4.0-1114.123 | 4.4.0-1114.123 |
ubuntu/linux-snapdragon | <4.15.0-1057.62 | 4.15.0-1057.62 |
ubuntu/linux-snapdragon | <5.0.0-1016.17 | 5.0.0-1016.17 |
ubuntu/linux-snapdragon | <5.2~ | 5.2~ |
ubuntu/linux-snapdragon | <4.4.0-1118.124 | 4.4.0-1118.124 |
debian/linux | 4.19.249-2 4.19.304-1 5.10.209-2 5.10.205-2 6.1.76-1 6.1.69-1 6.6.13-1 6.6.15-2 | |
Linux Linux kernel | >=4.4<4.4.182 | |
Linux Linux kernel | >=4.9<4.9.182 | |
Linux Linux kernel | >=4.14<4.14.127 | |
Linux Linux kernel | >=4.19<4.19.52 | |
Linux Linux kernel | >=5.1<5.1.11 | |
F5 BIG-IP Advanced Firewall Manager | >=11.5.2<11.6.5.1 | |
F5 BIG-IP Advanced Firewall Manager | >=12.1.0<12.1.5.1 | |
F5 BIG-IP Advanced Firewall Manager | >=13.1.0<13.1.3.2 | |
F5 BIG-IP Advanced Firewall Manager | >=14.0.0<14.0.1.1 | |
F5 BIG-IP Advanced Firewall Manager | >=14.1.2<14.1.2.1 | |
F5 BIG-IP Advanced Firewall Manager | >=15.0.0<15.0.1.1 | |
F5 BIG-IP Access Policy Manager | >=11.5.2<11.6.5.1 | |
F5 BIG-IP Access Policy Manager | >=12.1.0<12.1.5.1 | |
F5 BIG-IP Access Policy Manager | >=13.1.0<13.1.3.2 | |
F5 BIG-IP Access Policy Manager | >=14.0.0<14.0.1.1 | |
F5 BIG-IP Access Policy Manager | >=14.1.2<14.1.2.1 | |
F5 BIG-IP Access Policy Manager | >=15.0.0<15.0.1.1 | |
F5 Big-ip Application Acceleration Manager | >=11.5.2<11.6.5.1 | |
F5 Big-ip Application Acceleration Manager | >=12.1.0<12.1.5.1 | |
F5 Big-ip Application Acceleration Manager | >=13.1.0<13.1.3.2 | |
F5 Big-ip Application Acceleration Manager | >=14.0.0<14.0.1.1 | |
F5 Big-ip Application Acceleration Manager | >=14.1.2<14.1.2.1 | |
F5 Big-ip Application Acceleration Manager | >=15.0.0<15.0.1.1 | |
F5 Big-ip Link Controller | >=11.5.2<11.6.5.1 | |
F5 Big-ip Link Controller | >=12.1.0<12.1.5.1 | |
F5 Big-ip Link Controller | >=13.1.0<13.1.3.2 | |
F5 Big-ip Link Controller | >=14.0.0<14.0.1.1 | |
F5 Big-ip Link Controller | >=14.1.2<14.1.2.1 | |
F5 Big-ip Link Controller | >=15.0.0<15.0.1.1 | |
F5 Big-ip Policy Enforcement Manager | >=11.5.2<11.6.5.1 | |
F5 Big-ip Policy Enforcement Manager | >=12.1.0<12.1.5.1 | |
F5 Big-ip Policy Enforcement Manager | >=13.1.0<13.1.3.2 | |
F5 Big-ip Policy Enforcement Manager | >=14.0.0<14.0.1.1 | |
F5 Big-ip Policy Enforcement Manager | >=14.1.2<14.1.2.1 | |
F5 Big-ip Policy Enforcement Manager | >=15.0.0<15.0.1.1 | |
F5 Big-ip Webaccelerator | >=11.5.2<11.6.5.1 | |
F5 Big-ip Webaccelerator | >=12.1.0<12.1.5.1 | |
F5 Big-ip Webaccelerator | >=13.1.0<13.1.3.2 | |
F5 Big-ip Webaccelerator | >=14.0.0<14.0.1.1 | |
F5 Big-ip Webaccelerator | >=14.1.2<14.1.2.1 | |
F5 Big-ip Webaccelerator | >=15.0.0<15.0.1.1 | |
F5 BIG-IP Application Security Manager | >=11.5.2<11.6.5.1 | |
F5 BIG-IP Application Security Manager | >=12.1.0<12.1.5.1 | |
F5 BIG-IP Application Security Manager | >=13.1.0<13.1.3.2 | |
F5 BIG-IP Application Security Manager | >=14.0.0<14.0.1.1 | |
F5 BIG-IP Application Security Manager | >=14.1.2<14.1.2.1 | |
F5 BIG-IP Application Security Manager | >=15.0.0<15.0.1.1 | |
F5 Big-ip Local Traffic Manager | >=11.5.2<11.6.5.1 | |
F5 Big-ip Local Traffic Manager | >=12.1.0<12.1.5.1 | |
F5 Big-ip Local Traffic Manager | >=13.1.0<13.1.3.2 | |
F5 Big-ip Local Traffic Manager | >=14.0.0<14.0.1.1 | |
F5 Big-ip Local Traffic Manager | >=14.1.2<14.1.2.1 | |
F5 Big-ip Local Traffic Manager | >=15.0.0<15.0.1.1 | |
F5 Big-ip Fraud Protection Service | >=11.5.2<11.6.5.1 | |
F5 Big-ip Fraud Protection Service | >=12.1.0<12.1.5.1 | |
F5 Big-ip Fraud Protection Service | >=13.1.0<13.1.3.2 | |
F5 Big-ip Fraud Protection Service | >=14.0.0<14.0.1.1 | |
F5 Big-ip Fraud Protection Service | >=14.1.2<14.1.2.1 | |
F5 Big-ip Fraud Protection Service | >=15.0.0<15.0.1.1 | |
F5 Big-ip Global Traffic Manager | >=11.5.2<11.6.5.1 | |
F5 Big-ip Global Traffic Manager | >=12.1.0<12.1.5.1 | |
F5 Big-ip Global Traffic Manager | >=13.1.0<13.1.3.2 | |
F5 Big-ip Global Traffic Manager | >=14.0.0<14.0.1.1 | |
F5 Big-ip Global Traffic Manager | >=14.1.2<14.1.2.1 | |
F5 Big-ip Global Traffic Manager | >=15.0.0<15.0.1.1 | |
F5 BIG-IP Analytics | >=11.5.2<11.6.5.1 | |
F5 BIG-IP Analytics | >=12.1.0<12.1.5.1 | |
F5 BIG-IP Analytics | >=13.1.0<13.1.3.2 | |
F5 BIG-IP Analytics | >=14.0.0<14.0.1.1 | |
F5 BIG-IP Analytics | >=14.1.2<14.1.2.1 | |
F5 BIG-IP Analytics | >=15.0.0<15.0.1.1 | |
F5 Big-ip Edge Gateway | >=11.5.2<11.6.5.1 | |
F5 Big-ip Edge Gateway | >=12.1.0<12.1.5.1 | |
F5 Big-ip Edge Gateway | >=13.1.0<13.1.3.2 | |
F5 Big-ip Edge Gateway | >=14.0.0<14.0.1.1 | |
F5 Big-ip Edge Gateway | >=14.1.2<14.1.2.1 | |
F5 Big-ip Edge Gateway | >=15.0.0<15.0.1.1 | |
F5 Big-ip Domain Name System | >=11.5.2<11.6.5.1 | |
F5 Big-ip Domain Name System | >=12.1.0<12.1.5.1 | |
F5 Big-ip Domain Name System | >=13.1.0<13.1.3.2 | |
F5 Big-ip Domain Name System | >=14.0.0<14.0.1.1 | |
F5 Big-ip Domain Name System | >=14.1.2<14.1.2.1 | |
F5 Big-ip Domain Name System | >=15.0.0<15.0.1.1 | |
Canonical Ubuntu Linux | =14.04 | |
Canonical Ubuntu Linux | =16.04 | |
Canonical Ubuntu Linux | =18.04 | |
Canonical Ubuntu Linux | =18.10 | |
Canonical Ubuntu Linux | =19.04 | |
Redhat Enterprise Linux | =7.0 | |
F5 BIG-IQ Centralized Management | >=5.1.0<=5.4.0 | |
F5 BIG-IQ Centralized Management | >=6.0.0<=6.1.0 | |
F5 Enterprise Manager | =3.1.1 | |
F5 iWorkflow | =2.3.0 | |
F5 Traffix Signaling Delivery Controller | >=5.0.0<=5.1.0 | |
Redhat Virtualization Host | =4.0 | |
Redhat Enterprise Linux | =7.0 | |
All of | ||
Redhat Virtualization Host | =4.0 | |
Redhat Enterprise Linux | =7.0 |
For mitigation, please refer to the Red Hat Knowledgebase article: https://access.redhat.com/security/vulnerabilities/tcpsack
This can be mitigated by dropping all packets which specify a too small MSS value. For example, to only allow MSS values of greater than 500 bytes, an iptables rule can be specified as: sudo iptables -A INPUT -p tcp -m tcpmss --mss 1:500 -j DROP Note: this will only take effect if the net.ipv4.tcp_mtu_probing sysctl is disabled as well.
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)