This topic describes how to fix the Linux kernel vulnerability CVE-2019-11477. This vulnerability caused an integer overflow in the Linux kernels (of V2.6.29 or later) that handle TCP Selective Acknowledgments (SACKs) due to DoS attacks. That is, with this vulnerability, your services may be temporarily or indefinitely disrupted due to a high influx of hacker requests.
- ACK plans to upgrade the basic image of cluster nodes. The kernel version of the new image fixes this vulnerability.
- For the nodes of an existing Kubernetes cluster created with ACK, you can use one of the following three methods to fix the vulnerability:
- Upgrade the security patch of Linux.
- Disable the SACKs feature.
- Use a filter to block connections with a low MSS.
- Log on to each node of a Kubernetes cluster to run the yum update kernel command.
Note This action updates the kernel version.
- Restart cluster nodes.
- Before you restart the Master nodes, make sure that the Kubernetes components of a restarted Master node can be recovered to a normal state before you restart another Master node.
- Before you restart the Worker nodes, make sure that more than one service replicate is available on the nodes. For workloads supported by only one Worker node, you must perform the following operations before you migrate the workloads to any other node:
Note Performing the following operations can help you avoid any service interruptions that would occur when you restart the node.
- Mark the Worker node as unschedulable.
- Drain the node to evict the workloads that run on the node by running the
kubectl draincommand. (This action is applicable to pods that are controlled by ReplicationController, ReplicaSet, Job, DaemonSet or StatefulSet.)
After you restart the Worker node, run the kubectl uncordon $nodename command to make the node schedulable.
- Run the official script released by Red Hat to check whether the vulnerability is fixed.
echo 0 > /proc/sys/net/ipv4/tcp_sack sysctl -w net.ipv4.tcp_sack=0
- To use this method, you must disable TCP probes. That is, in the file /etc/sysctl.conf, set
- This method affects the legitimate connections which rely on a low MSS. As a result, we recommend that you estimate the effects of this operation before you carry out this method.
For information about the specific command, see Security bulletins.