This knowledge article contains a resolution for the following vulnerabilities CVE-2019-11477 and CVE-2019-11478.
CVE-2019-11477, known as “SACK Panic,” is an integer overflow vulnerability that can be triggered by a remote attacker sending a sequence of TCP Selective ACKnowledgements (SACKs) to a vulnerable system, which could result in a system crash (kernel panic).
CVE-2019-11478 is an excess resource consumption vulnerability that can be triggered by a remote attacker sending a sequence of SACKs to a vulnerable system, resulting in the fragmentation of the TCP retransmission queue.
sysctl -w net.ipv4.tcp_sack=0
net.ipv4.tcp_sack = 0
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center