This topic describes how to fix the Linux kernel vulnerability CVE-2019-11477. This vulnerability caused an integer overflow in the Linux kernels (of V2.6.29 or later) that handle TCP Selective Acknowledgments (SACKs) due to DoS attacks. That is, with this vulnerability, your services may be temporarily or indefinitely disrupted due to a high influx of hacker requests.

Solutions

  • ACK plans to upgrade the basic image of cluster nodes. The kernel version of the new image fixes this vulnerability.
  • For the nodes of an existing Kubernetes cluster created with ACK, you can use one of the following three methods to fix the vulnerability:
    • Upgrade the security patch of Linux.
    • Disable the SACKs feature.
    • Use a filter to block connections with a low MSS.
Upgrade the security patch of Linux
Note To fix this vulnerability for a cluster node, you must restart the ECS instance that supports the node. As a result, we recommend that you choose an off-peak period of services so as to not interrupt your usual services.
  1. Log on to each node of a Kubernetes cluster to run the yum update kernel command.
    Note This action updates the kernel version.
  2. Restart cluster nodes.
    • Before you restart the Master nodes, make sure that the Kubernetes components of a restarted Master node can be recovered to a normal state before you restart another Master node.
    • Before you restart the Worker nodes, make sure that more than one service replicate is available on the nodes. For workloads supported by only one Worker node, you must perform the following operations before you migrate the workloads to any other node:
      Note Performing the following operations can help you avoid any service interruptions that would occur when you restart the node.
      1. Mark the Worker node as unschedulable.
      2. Drain the node to evict the workloads that run on the node by running the kubectl drain command. (This action is applicable to pods that are controlled by ReplicationController, ReplicaSet, Job, DaemonSet or StatefulSet.)

      After you restart the Worker node, run the kubectl uncordon $nodename command to make the node schedulable.

  3. Run the official script released by Red Hat to check whether the vulnerability is fixed.
Disable the SACKs feature
Note This method affects the efficiency of the TCP connection to process requests. Therefore, you must estimate the affects before you use this method.
Run the following commands:
echo 0 > /proc/sys/net/ipv4/tcp_sack
     sysctl -w net.ipv4.tcp_sack=0
Use a filter to block connections with a low MSS
Note
  • To use this method, you must disable TCP probes. That is, in the file /etc/sysctl.conf, set net.ipv4.tcp_mtu_probingsysctl to 0.
  • This method affects the legitimate connections which rely on a low MSS. As a result, we recommend that you estimate the effects of this operation before you carry out this method.

For information about the specific command, see Security bulletins.