Hello Google Kubernetes Engine Customer,
Netflix has recently disclosed three TCP vulnerabilities in Linux kernels:
CVE-2019-11477 [1]
CVE-2019-11478 [2]
CVE-2019-11479 [3]
These CVEs are collectively referred to as NFLX-2019-001.
Unpatched Linux kernels may be vulnerable to a remotely triggered denial of service attack. Kubernetes Engine Nodes that send or receive untrusted network traffic are affected, and we recommend that you upgrade to the latest patch version as soon as possible, as we detail below.
What should I do?
Due to the severity of these vulnerabilities, whether you have node-autoupgrade enabled or not, we recommend that you manually upgrade your nodes as soon as possible.
In order to upgrade, you must first upgrade your master to the newest version. This patch will be available in Kubernetes 1.11.8-gke.10, Kubernetes 1.12.7-gke.24, Kubernetes 1.12.8-gke.10 and Kubernetes 1.13.6-gke.13. New clusters have been using the patched version (except 1.11.10) by default starting Saturday, June 22. A patched 1.11.10 version will be made available in the coming days, and impacted customers will receive an additional notification. GKE customers who have node-autoupgrade enabled and who do not manually upgrade will have their nodes upgraded to patched versions at the normal cadence.
What vulnerabilities are addressed by this patch?
CVE-2019-11477: SACK Panic (Linux >= 2.6.29).This is rated as a High vulnerability.
CVE-2019-11478: SACK Slowness (Linux < 4.15) or Excess Resource Usage (all Linux versions). This is rated as a Medium vulnerability.
CVE-2019-11479: Excess Resource Consumption Due to Low MSS Values (all Linux versions). This is rated as a Medium vulnerability.
Need more information or help?
If you have any questions or require assistance, please do not hesitate to reply to this email to contact Google Cloud Support.
[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11477
[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11478
[3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11479
0 comments