Vulnerability CVE-2019-11479: Information

Description

Jonathan Looney discovered that the Linux kernel default MSS is hard-coded to 48 bytes. This allows a remote peer to fragment TCP resend queues significantly more than if a larger MSS were enforced. A remote attacker could use this to cause a denial of service. This has been fixed in stable kernel releases 4.4.182, 4.9.182, 4.14.127, 4.19.52, 5.1.11, and is fixed in commits 967c05aee439e6e5d7d805e195b3a20ef5c433d6 and 5f3e2bf008c2221478101ee72f5cb4654b9fc363.

Severity: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

URL: https://nvd.nist.gov/vuln/detail/CVE-2019-11479

Published: June 19, 2019

Modified: Nov. 7, 2023

Error type identifier: CWE-770

Fixed packages

Package name	Branch	Fixed in version	Version from repository	Errata ID	Task #	State
kernel-image-mp	sisyphus	4.20.4-alt1	6.8.8-alt1	ALT-PU-2019-1139-1	220078	Fixed
kernel-image-mp	p10	4.20.4-alt1	6.1.19-alt1	ALT-PU-2019-1139-1	220078	Fixed
kernel-image-mp	p9	5.1.12-alt1	5.12.16-alt1	ALT-PU-2019-2117-1	232756	Fixed
kernel-image-mp	c9f2	5.1.12-alt1	5.7.16-alt1	ALT-PU-2019-2117-1	232756	Fixed
kernel-image-ovz-el	p8	2.6.32-alt168.M80P.2	2.6.32-alt170.M80P.1	ALT-PU-2019-2144-1	232713	Fixed
kernel-image-std-debug	sisyphus	4.19.55-alt1	6.1.91-alt1	ALT-PU-2019-2134-1	233077	Fixed
kernel-image-std-debug	c9f2	4.19.97-alt1	4.19.102-alt1	ALT-PU-2020-1070-1	244478	Fixed
kernel-image-std-def	sisyphus	4.19.55-alt1	6.1.91-alt1	ALT-PU-2019-2136-1	233079	Fixed
kernel-image-std-def	p10	4.19.55-alt1	5.10.216-alt1	ALT-PU-2019-2136-1	233079	Fixed
kernel-image-std-def	p9	4.19.56-alt1	5.4.275-alt1	ALT-PU-2019-2157-1	233158	Fixed
kernel-image-std-def	p8	4.9.181-alt0.M80P.1	4.9.337-alt0.M80P.1	ALT-PU-2019-2086-1	232429	Fixed
kernel-image-std-def	c9f2	4.19.56-alt1	5.10.214-alt0.c9f.2	ALT-PU-2019-2157-1	233158	Fixed
kernel-image-std-def	c7	4.4.183-alt0.M70C.1	4.4.277-alt0.M70C.1	ALT-PU-2019-2175-1	233233	Fixed
kernel-image-std-pae	c9f2	4.19.56-alt1	4.19.72-alt1	ALT-PU-2019-2180-1	233161	Fixed
kernel-image-un-def	sisyphus	4.5.0-alt1	6.6.31-alt1	ALT-PU-2016-1262-1	161431	Fixed
kernel-image-un-def	p10	4.5.0-alt1	6.1.85-alt1	ALT-PU-2016-1262-1	161431	Fixed
kernel-image-un-def	p9	5.1.12-alt1	5.10.216-alt2	ALT-PU-2019-2311-1	232804	Fixed
kernel-image-un-def	p8	4.13.7-alt0.M80P.1	4.19.310-alt0.M80P.1	ALT-PU-2017-2470-1	188636	Fixed
kernel-image-un-def	c10f1	4.5.0-alt1	6.1.85-alt0.c10f.1	ALT-PU-2016-1262-1	161431	Fixed
kernel-image-un-def	c9f2	5.1.12-alt1	5.10.29-alt2	ALT-PU-2019-2311-1	232804	Fixed
kernel-image-un-def	c7	4.9.277-alt0.M70C.1	4.9.277-alt0.M70C.1	ALT-PU-2021-3032-1	281292	Fixed

References to Advisories, Solutions, and Tools

Hyperlink	Resource
https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/commit/?id=5f3e2bf008c2221478101ee72f5cb4654b9fc363	Mailing List Patch Vendor Advisory
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md	Patch Third Party Advisory
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SACKPanic	Mitigation Third Party Advisory
https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/commit/?id=967c05aee439e6e5d7d805e195b3a20ef5c433d6	Mailing List Patch Vendor Advisory
https://access.redhat.com/security/vulnerabilities/tcpsack	Third Party Advisory
https://support.f5.com/csp/article/K35421172	Third Party Advisory
108818	Third Party Advisory VDB Entry
https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44193	Third Party Advisory
VU#905115	Third Party Advisory US Government Resource
https://www.synology.com/security/advisory/Synology_SA_19_28	Third Party Advisory
https://security.netapp.com/advisory/ntap-20190625-0001/	Third Party Advisory
RHSA-2019:1594	Third Party Advisory
RHSA-2019:1602	Third Party Advisory
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2019-0008	Third Party Advisory
https://kc.mcafee.com/corporate/index?page=content&id=SB10287	Third Party Advisory
[oss-security] 20190628 Re: linux-distros membership application - Microsoft	Mailing List Third Party Advisory
USN-4041-2	Third Party Advisory
[oss-security] 20190706 Re: linux-distros membership application - Microsoft	Mailing List Third Party Advisory
[oss-security] 20190706 Re: linux-distros membership application - Microsoft	Mailing List Third Party Advisory
RHSA-2019:1699	Third Party Advisory
USN-4041-1	Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-462066.pdf	Third Party Advisory
https://www.us-cert.gov/ics/advisories/icsa-19-253-03	Third Party Advisory US Government Resource
https://www.oracle.com/security-alerts/cpujan2020.html	Third Party Advisory
https://www.us-cert.gov/ics/advisories/icsma-20-170-06	Third Party Advisory US Government Resource
http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2020-010.txt	Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2020.html
https://support.f5.com/csp/article/K35421172?utm_source=f5support&amp%3Butm_medium=RSS

Affected configurations:
1. Configuration 1
  cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
  Start including
  4.4
  End excliding
  4.4.182
  cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
  Start including
  4.9
  End excliding
  4.9.182
  cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
  Start including
  4.14
  End excliding
  4.14.127
  cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
  Start including
  4.19
  End excliding
  4.19.52
  cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
  Start including
  5.1
  End excliding
  5.1.11
  
  Configuration 2
  cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*
  Start including
  14.0.0
  End excliding
  14.0.1.1
  cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*
  Start including
  13.1.0
  End excliding
  13.1.3.2
  cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*
  Start including
  15.0.0
  End excliding
  15.0.1.1
  cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*
  Start including
  11.5.2
  End excliding
  11.6.5.1
  cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*
  Start including
  12.1.0
  End excliding
  12.1.5.1
  cpe:2.3:a:f5:big-ip_advanced_firewall_manager:*:*:*:*:*:*:*:*
  Start including
  14.1.2
  End excliding
  14.1.2.1
  
  Configuration 3
  cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
  Start including
  14.0.0
  End excliding
  14.0.1.1
  cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
  Start including
  13.1.0
  End excliding
  13.1.3.2
  cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
  Start including
  15.0.0
  End excliding
  15.0.1.1
  cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
  Start including
  11.5.2
  End excliding
  11.6.5.1
  cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
  Start including
  12.1.0
  End excliding
  12.1.5.1
  cpe:2.3:a:f5:big-ip_access_policy_manager:*:*:*:*:*:*:*:*
  Start including
  14.1.2
  End excliding
  14.1.2.1
  
  Configuration 4
  cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:*
  Start including
  14.0.0
  End excliding
  14.0.1.1
  cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:*
  Start including
  13.1.0
  End excliding
  13.1.3.2
  cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:*
  Start including
  15.0.0
  End excliding
  15.0.1.1
  cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:*
  Start including
  11.5.2
  End excliding
  11.6.5.1
  cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:*
  Start including
  12.1.0
  End excliding
  12.1.5.1
  cpe:2.3:a:f5:big-ip_application_acceleration_manager:*:*:*:*:*:*:*:*
  Start including
  14.1.2
  End excliding
  14.1.2.1
  
  Configuration 5
  cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:*
  Start including
  14.0.0
  End excliding
  14.0.1.1
  cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:*
  Start including
  13.1.0
  End excliding
  13.1.3.2
  cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:*
  Start including
  15.0.0
  End excliding
  15.0.1.1
  cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:*
  Start including
  11.5.2
  End excliding
  11.6.5.1
  cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:*
  Start including
  12.1.0
  End excliding
  12.1.5.1
  cpe:2.3:a:f5:big-ip_link_controller:*:*:*:*:*:*:*:*
  Start including
  14.1.2
  End excliding
  14.1.2.1
  
  Configuration 6
  cpe:2.3:a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:*
  Start including
  14.0.0
  End excliding
  14.0.1.1
  cpe:2.3:a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:*
  Start including
  13.1.0
  End excliding
  13.1.3.2
  cpe:2.3:a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:*
  Start including
  15.0.0
  End excliding
  15.0.1.1
  cpe:2.3:a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:*
  Start including
  11.5.2
  End excliding
  11.6.5.1
  cpe:2.3:a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:*
  Start including
  12.1.0
  End excliding
  12.1.5.1
  cpe:2.3:a:f5:big-ip_policy_enforcement_manager:*:*:*:*:*:*:*:*
  Start including
  14.1.2
  End excliding
  14.1.2.1
  
  Configuration 7
  cpe:2.3:a:f5:big-ip_webaccelerator:*:*:*:*:*:*:*:*
  Start including
  14.0.0
  End excliding
  14.0.1.1
  cpe:2.3:a:f5:big-ip_webaccelerator:*:*:*:*:*:*:*:*
  Start including
  13.1.0
  End excliding
  13.1.3.2
  cpe:2.3:a:f5:big-ip_webaccelerator:*:*:*:*:*:*:*:*
  Start including
  15.0.0
  End excliding
  15.0.1.1
  cpe:2.3:a:f5:big-ip_webaccelerator:*:*:*:*:*:*:*:*
  Start including
  11.5.2
  End excliding
  11.6.5.1
  cpe:2.3:a:f5:big-ip_webaccelerator:*:*:*:*:*:*:*:*
  Start including
  12.1.0
  End excliding
  12.1.5.1
  cpe:2.3:a:f5:big-ip_webaccelerator:*:*:*:*:*:*:*:*
  Start including
  14.1.2
  End excliding
  14.1.2.1
  
  Configuration 8
  cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*
  Start including
  14.0.0
  End excliding
  14.0.1.1
  cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*
  Start including
  13.1.0
  End excliding
  13.1.3.2
  cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*
  Start including
  15.0.0
  End excliding
  15.0.1.1
  cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*
  Start including
  11.5.2
  End excliding
  11.6.5.1
  cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*
  Start including
  12.1.0
  End excliding
  12.1.5.1
  cpe:2.3:a:f5:big-ip_application_security_manager:*:*:*:*:*:*:*:*
  Start including
  14.1.2
  End excliding
  14.1.2.1
  
  Configuration 9
  cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*
  Start including
  14.0.0
  End excliding
  14.0.1.1
  cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*
  Start including
  13.1.0
  End excliding
  13.1.3.2
  cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*
  Start including
  15.0.0
  End excliding
  15.0.1.1
  cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*
  Start including
  11.5.2
  End excliding
  11.6.5.1
  cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*
  Start including
  12.1.0
  End excliding
  12.1.5.1
  cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*
  Start including
  14.1.2
  End excliding
  14.1.2.1
  
  Configuration 10
  cpe:2.3:a:f5:big-ip_fraud_protection_service:*:*:*:*:*:*:*:*
  Start including
  14.0.0
  End excliding
  14.0.1.1
  cpe:2.3:a:f5:big-ip_fraud_protection_service:*:*:*:*:*:*:*:*
  Start including
  13.1.0
  End excliding
  13.1.3.2
  cpe:2.3:a:f5:big-ip_fraud_protection_service:*:*:*:*:*:*:*:*
  Start including
  15.0.0
  End excliding
  15.0.1.1
  cpe:2.3:a:f5:big-ip_fraud_protection_service:*:*:*:*:*:*:*:*
  Start including
  11.5.2
  End excliding
  11.6.5.1
  cpe:2.3:a:f5:big-ip_fraud_protection_service:*:*:*:*:*:*:*:*
  Start including
  12.1.0
  End excliding
  12.1.5.1
  cpe:2.3:a:f5:big-ip_fraud_protection_service:*:*:*:*:*:*:*:*
  Start including
  14.1.2
  End excliding
  14.1.2.1
  
  Configuration 11
  cpe:2.3:a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:*
  Start including
  14.0.0
  End excliding
  14.0.1.1
  cpe:2.3:a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:*
  Start including
  13.1.0
  End excliding
  13.1.3.2
  cpe:2.3:a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:*
  Start including
  15.0.0
  End excliding
  15.0.1.1
  cpe:2.3:a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:*
  Start including
  11.5.2
  End excliding
  11.6.5.1
  cpe:2.3:a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:*
  Start including
  12.1.0
  End excliding
  12.1.5.1
  cpe:2.3:a:f5:big-ip_global_traffic_manager:*:*:*:*:*:*:*:*
  Start including
  14.1.2
  End excliding
  14.1.2.1
  
  Configuration 12
  cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*
  Start including
  14.0.0
  End excliding
  14.0.1.1
  cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*
  Start including
  13.1.0
  End excliding
  13.1.3.2
  cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*
  Start including
  15.0.0
  End excliding
  15.0.1.1
  cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*
  Start including
  11.5.2
  End excliding
  11.6.5.1
  cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*
  Start including
  12.1.0
  End excliding
  12.1.5.1
  cpe:2.3:a:f5:big-ip_analytics:*:*:*:*:*:*:*:*
  Start including
  14.1.2
  End excliding
  14.1.2.1
  
  Configuration 13
  cpe:2.3:a:f5:big-ip_edge_gateway:*:*:*:*:*:*:*:*
  Start including
  14.0.0
  End excliding
  14.0.1.1
  cpe:2.3:a:f5:big-ip_edge_gateway:*:*:*:*:*:*:*:*
  Start including
  13.1.0
  End excliding
  13.1.3.2
  cpe:2.3:a:f5:big-ip_edge_gateway:*:*:*:*:*:*:*:*
  Start including
  15.0.0
  End excliding
  15.0.1.1
  cpe:2.3:a:f5:big-ip_edge_gateway:*:*:*:*:*:*:*:*
  Start including
  11.5.2
  End excliding
  11.6.5.1
  cpe:2.3:a:f5:big-ip_edge_gateway:*:*:*:*:*:*:*:*
  Start including
  12.1.0
  End excliding
  12.1.5.1
  cpe:2.3:a:f5:big-ip_edge_gateway:*:*:*:*:*:*:*:*
  Start including
  14.1.2
  End excliding
  14.1.2.1
  
  Configuration 14
  cpe:2.3:a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:*
  Start including
  14.0.0
  End excliding
  14.0.1.1
  cpe:2.3:a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:*
  Start including
  13.1.0
  End excliding
  13.1.3.2
  cpe:2.3:a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:*
  Start including
  15.0.0
  End excliding
  15.0.1.1
  cpe:2.3:a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:*
  Start including
  11.5.2
  End excliding
  11.6.5.1
  cpe:2.3:a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:*
  Start including
  12.1.0
  End excliding
  12.1.5.1
  cpe:2.3:a:f5:big-ip_domain_name_system:*:*:*:*:*:*:*:*
  Start including
  14.1.2
  End excliding
  14.1.2.1
  
  Configuration 15
  cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
  cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
  cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*
  cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*
  cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*
  
  Configuration 16
  cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
  
  Configuration 17
  cpe:2.3:a:f5:enterprise_manager:3.1.1:*:*:*:*:*:*:*
  cpe:2.3:a:f5:traffix_signaling_delivery_controller:*:*:*:*:*:*:*:*
  Start including
  5.0.0
  End including
  5.1.0
  cpe:2.3:a:f5:big-iq_centralized_management:*:*:*:*:*:*:*:*
  Start including
  5.1.0
  End including
  5.4.0
  cpe:2.3:a:f5:big-iq_centralized_management:*:*:*:*:*:*:*:*
  Start including
  6.0.0
  End including
  6.1.0
  cpe:2.3:a:f5:iworkflow:2.3.0:*:*:*:*:*:*:*
  
  Configuration 18
  cpe:2.3:a:redhat:virtualization_host:4.0:*:*:*:*:*:*:*
  Running on/with:
  cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*

Version: v24.5.1

Vulnerability CVE-2019-11479: Information

Description

Fixed packages

References to Advisories, Solutions, and Tools

Configuration 1

Configuration 2

Configuration 3

Configuration 4

Configuration 5

Configuration 6

Configuration 7

Configuration 8

Configuration 9

Configuration 10

Configuration 11

Configuration 12

Configuration 13

Configuration 14

Configuration 15

Configuration 16

Configuration 17

Configuration 18