CVE-2018-5390 - Linux Kernel 4.9
A design flaw affecting Linux Kernels 4.9 and above has been accounced and can cause unavailability on your server.
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5390
The algorithm managing the fragmented TCP packets turned out not to be efficient enough when it is about tyding up many packets with random sequence identifiers. A Denial of Service attack could be possible following a too high CPU usage.
This CVE is not about corruption, data loss or privilege escalation.
Some services, which are entirely managed by OVH, will not require any manipulation on your part: Domains, Metrics and Logs Data Platform, xDSL, VoIP, DBaaS, OVH Load Balancer, vRack, Exchange, MX Plan, Web Hosting, Cloud Desktop, VDI, CDN, Swift, CEPH, NAS-HA, Public Cloud Storage and Public Cloud Archive.
The Windows platforms are not impacted too.
To determine whether you service is impacted or not, you can have a look to this guide: docs.ovh.com/ie/en/dedicated/updating-kernel-dedicated-server/#identify-the-kernel
— For Dedicated Servers customers, kernels 4.9.118 and 4.14.61 are available on our mirrors and mitigates the issue. This guide will help you get through the process: docs.ovh.com/ie/en/dedicated/updating-kernel-dedicated-server/
— For Public Cloud and VPS customers, We are following official distributions recommendations. This mean that as soon as editors have patched their distributions, you will be safe. Note that Debian has already published the mitigation.
— For Private Cloud customers, we recommend you to upgrade your kernel by using the last upstream version.
travaux.ovh.net/?do=details&id=33293
a. What's going on technically ?A Denial of Service can be initiated due to a TCP/IP stack issue in the Linux Kernel.
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5390
The algorithm managing the fragmented TCP packets turned out not to be efficient enough when it is about tyding up many packets with random sequence identifiers. A Denial of Service attack could be possible following a too high CPU usage.
b. What's the impact ?The impact is only about availability of your services.
This CVE is not about corruption, data loss or privilege escalation.
c. What services are impacted ?Only servers and virtual machines running a Linux Kernel 4.9 and above with a TCP port exposed on the Internet, without any firewall, are concerned. Note that the OVH IPLB (IP LoadBalancer) mitigates the issue.
Some services, which are entirely managed by OVH, will not require any manipulation on your part: Domains, Metrics and Logs Data Platform, xDSL, VoIP, DBaaS, OVH Load Balancer, vRack, Exchange, MX Plan, Web Hosting, Cloud Desktop, VDI, CDN, Swift, CEPH, NAS-HA, Public Cloud Storage and Public Cloud Archive.
The Windows platforms are not impacted too.
To determine whether you service is impacted or not, you can have a look to this guide: docs.ovh.com/ie/en/dedicated/updating-kernel-dedicated-server/#identify-the-kernel
d. How to mitigate the issue ?If your service is concerned, we recommend you to upgrade your kernel as soon as possible:
— For Dedicated Servers customers, kernels 4.9.118 and 4.14.61 are available on our mirrors and mitigates the issue. This guide will help you get through the process: docs.ovh.com/ie/en/dedicated/updating-kernel-dedicated-server/
— For Public Cloud and VPS customers, We are following official distributions recommendations. This mean that as soon as editors have patched their distributions, you will be safe. Note that Debian has already published the mitigation.
— For Private Cloud customers, we recommend you to upgrade your kernel by using the last upstream version.
travaux.ovh.net/?do=details&id=33293