zoukankan      html  css  js  c++  java

  • Linux TCP漏洞 CVE-2019-11477 CentOS7 修复方法

    CVE-2019-11477漏洞简单介绍 https://cert.360.cn/warning/detail?id=27d0c6b825c75d8486c446556b9c9b68
    RedHat用户可以使用以下脚本来检查系统是否存在漏洞 https://access.redhat.com/sites/default/files/cve-2019-11477--2019-06-17-1629.sh
    AWS CVE-2019-11477漏洞解决方案文档 https://amazonaws-china.com/cn/security/security-bulletins/AWS-2019-005/?from=groupmessage
    阿里云解决方案文档 https://help.aliyun.com/noticelist/articleid/1060012493.html?spm=a2c4g.789004748.n2.7.15386141GM8Eyl

    Linux TCP漏洞 CVE-2019-11477 CentOS7 修复方法 https://www.cnblogs.com/wzstudy/p/11058328.html

    1 直接升级内核修复(需重启机器)

    #下载漏洞检测脚本
#[root@CentOS7 ~]# wget https://access.redhat.com/sites/default/files/cve-2019-11477--2019-06-17-1629.sh

#[root@CentOS7 ~]# ll
总用量 36
-rw-------. 1 root root  1608 3月  19 09:44 anaconda-ks.cfg
-rw-r--r--  1 root root 28701 6月  18 01:00 cve-2019-11477--2019-06-17-1629.sh

#查看当前内核
[root@CentOS7 ~]# rpm -qa|grep kernel
kernel-3.10.0-957.5.1.el7.x86_64
kernel-headers-3.10.0-957.5.1.el7.x86_64
kernel-devel-3.10.0-957.el7.x86_64
kernel-devel-3.10.0-957.5.1.el7.x86_64
kernel-tools-libs-3.10.0-957.5.1.el7.x86_64
kernel-tools-3.10.0-957.5.1.el7.x86_64
abrt-addon-kerneloops-2.1.11-52.el7.centos.x86_64
kernel-3.10.0-957.el7.x86_64

#执行脚本查看当前漏洞情况
#[root@CentOS7 ~]# sh cve-2019-11477--2019-06-17-1629.sh

This script (v1.0) is primarily designed to detect CVE-2019-11477 on supported
Red Hat Enterprise Linux systems and kernel packages.
Result may be inaccurate for other RPM based systems.

Running kernel: 3.10.0-957.5.1.el7.x86_64

This system is Vulnerable

* Running kernel is vulnerable

For more information about this vulnerability, see:
https://access.redhat.com/security/vulnerabilities/tcpsack

#更新内核
#[root@CentOS7 ~]# yum update kernel
#[root@CentOS7 ~]# rpm -qa|grep kernel
kernel-3.10.0-957.5.1.el7.x86_64
kernel-3.10.0-957.21.3.el7.x86_64
kernel-headers-3.10.0-957.5.1.el7.x86_64
kernel-devel-3.10.0-957.el7.x86_64
kernel-devel-3.10.0-957.5.1.el7.x86_64
kernel-tools-libs-3.10.0-957.5.1.el7.x86_64
kernel-tools-3.10.0-957.5.1.el7.x86_64
abrt-addon-kerneloops-2.1.11-52.el7.centos.x86_64
kernel-3.10.0-957.el7.x86_64

#升级内核后,再次执行检查情况
#[root@CentOS7 ~]# sh cve-2019-11477--2019-06-17-1629.sh

This script (v1.0) is primarily designed to detect CVE-2019-11477 on supported
Red Hat Enterprise Linux systems and kernel packages.
Result may be inaccurate for other RPM based systems.

Running kernel: 3.10.0-957.5.1.el7.x86_64

This system is Vulnerable

* Running kernel is vulnerable

For more information about this vulnerability, see:
https://access.redhat.com/security/vulnerabilities/tcpsack


#重启机器生效
#[root@CentOS7 ~]# reboot

#重启后检查漏洞情况,当前系统不受影响
#[root@CentOS7 ~]# sh cve-2019-11477--2019-06-17-1629.sh

This script (v1.0) is primarily designed to detect CVE-2019-11477 on supported
Red Hat Enterprise Linux systems and kernel packages.
Result may be inaccurate for other RPM based systems.

Running kernel: 3.10.0-957.21.3.el7.x86_64

This system is Not affected


For more information about this vulnerability, see:
https://access.redhat.com/security/vulnerabilities/tcpsack

    2 修改内核参数修复(临时方法,不用重启机器)

    #[root@CentOS7 ~]# wget https://access.redhat.com/sites/default/files/cve-2019-11477--2019-06-17-1629.sh

#检查当前漏洞情况,当前系统脆弱
[root@CentOS7 ~]# sh cve-2019-11477--2019-06-17-1629.sh

This script (v1.0) is primarily designed to detect CVE-2019-11477 on supported
Red Hat Enterprise Linux systems and kernel packages.
Result may be inaccurate for other RPM based systems.

Running kernel: 3.10.0-957.5.1.el7.x86_64

This system is Vulnerable

* Running kernel is vulnerable

For more information about this vulnerability, see:
https://access.redhat.com/security/vulnerabilities/tcpsack

#修改内核参数
[root@CentOS7 ~]# echo 0 > /proc/sys/net/ipv4/tcp_sack

#检查当前漏洞情况
[root@CentOS7 ~]# sh cve-2019-11477--2019-06-17-1629.sh

This script (v1.0) is primarily designed to detect CVE-2019-11477 on supported
Red Hat Enterprise Linux systems and kernel packages.
Result may be inaccurate for other RPM based systems.

Running kernel: 3.10.0-957.5.1.el7.x86_64

This system is Mitigated

* Running kernel is vulnerable
* sysctl mitigation is applied

For more information about this vulnerability, see:
https://access.redhat.com/security/vulnerabilities/tcpsack

#重启后失效,仅建议临时使用,或写进sysctl.conf配置文件内

    3 建议

    可以先采用临时方法修改内核参数,当前生效。
    然后把内核升级,等可以重启的时候自动就生效了
  • 相关阅读:
    DB2 for Z/os Statement prepare
    Foreign key (referential) constraints on DB2 LUW v105
    复制Informational constraints on LUW DB2 v105
    DB2 SQL Mixed data in character strings
    DB2 create partitioned table
    MVC中使用EF的技巧集(一)
    Asp.Net MVC 开发技巧(二)
    Linq使用技巧及查询示例(一)
    Asp.Net MVC 开发技巧(一)
    Asp.Net MVC Identity 2.2.1 使用技巧(八)
  • 原文地址:https://www.cnblogs.com/wzstudy/p/11058328.html
Copyright © 2011-2022 走看看