Zero-Day Emergency Security Patching for most fully linux managed servers

  Print
Purpose of Work:
A vulnerability targeting the networking stack in linux servers running kernel 2.6.29 or newer has been discovered that allows for Networking denial-of-service of varying severity, leveraging TCP "Selective Acknowlegment" (SACK).

Because the vulnerability requires absolutely no authentication, it could be used to deny networking indefinitely to any linux server using an unpatched kernel released in the last 10 years.

Due to the ease of exploitation, and the impact of exploitation, we will be patching and rebooting all affected, fully-managed hosts overnight.

You can read more about the exploit (and patches mitigating it), here: https://www.openwall.com/lists/oss-security/2019/06/17/5 and here https://access.redhat.com/security/vulnerabilities/tcpsack


Centos 5 hosts and older cannot be updated due to lack of support, so we will be disabling SACK on them. If you are a customer with fully managed services running Centos 5 or older, we urge you to get in contact with us regarding migration paths to a supported OS, if you are not already.

Impact of Work:
Centos 6 and Centos 7 hosts with fully managed service will be briefly rebooted over the next 8 hours. Expected downtime on each server will be around 2-5 minutes, depending on server startup speed. There may be some outliers, but any server that takes too long to start up will be investigated in short order.

We must do this before exploits are in the wild and frequent, since the update process itself requires networking to be done efficiently.

Thank you for your co-operation,

Softsys Support

Did you find this article useful?   0 out of 0 people found this article useful.

Related Articles

Login

 
Forgot password?
Register now

Language