Purpose of Work:
A vulnerability targeting the networking stack in linux servers running kernel 2.6.29 or newer has been discovered that allows for Networking denial-of-service of varying severity, leveraging TCP "Selective Acknowlegment" (SACK).
Because the vulnerability requires absolutely no authentication, it could be used to deny networking indefinitely to any linux server using an unpatched kernel released in the last 10 years.
Due to the ease of exploitation, and the impact of exploitation, we will be patching and rebooting all affected, fully-managed hosts overnight.
You can read more about the exploit (and patches mitigating it), here: https://www.openwall.com/lists/oss-security/2019/06/17/5
and here https://access.redhat.com/security/vulnerabilities/tcpsack
Centos 5 hosts and older cannot be updated due to lack of support, so we will be disabling SACK on them. If you are a customer with fully managed services running Centos 5 or older, we urge you to get in contact with us regarding migration paths to a supported OS, if you are not already.Impact of Work:
Centos 6 and Centos 7 hosts with fully managed service will be briefly rebooted over the next 8 hours. Expected downtime on each server will be around 2-5 minutes, depending on server startup speed. There may be some outliers, but any server that takes too long to start up will be investigated in short order.
We must do this before exploits are in the wild and frequent, since the update process itself requires networking to be done efficiently.
Thank you for your co-operation,