• Linux TCP漏洞 CVE-2019-11477 CentOS7 修复方法

    CVE-2019-11477漏洞简单介绍 https://cert.360.cn/warning/detail?id=27d0c6b825c75d8486c446556b9c9b68
    RedHat用户可以使用以下脚本来检查系统是否存在漏洞 https://access.redhat.com/sites/default/files/cve-2019-11477--2019-06-17-1629.sh
    AWS CVE-2019-11477漏洞解决方案文档 https://amazonaws-china.com/cn/security/security-bulletins/AWS-2019-005/?from=groupmessage
    阿里云解决方案文档 https://help.aliyun.com/noticelist/articleid/1060012493.html?spm=a2c4g.789004748.n2.7.15386141GM8Eyl

    Linux TCP漏洞 CVE-2019-11477 CentOS7 修复方法 https://www.cnblogs.com/wzstudy/p/11058328.html

    1 直接升级内核修复(需重启机器)

    #下载漏洞检测脚本
#[root@CentOS7 ~]# wget https://access.redhat.com/sites/default/files/cve-2019-11477--2019-06-17-1629.sh

#[root@CentOS7 ~]# ll
总用量 36
-rw-------. 1 root root  1608 3月  19 09:44 anaconda-ks.cfg
-rw-r--r--  1 root root 28701 6月  18 01:00 cve-2019-11477--2019-06-17-1629.sh

#查看当前内核
[root@CentOS7 ~]# rpm -qa|grep kernel
kernel-3.10.0-957.5.1.el7.x86_64
kernel-headers-3.10.0-957.5.1.el7.x86_64
kernel-devel-3.10.0-957.el7.x86_64
kernel-devel-3.10.0-957.5.1.el7.x86_64
kernel-tools-libs-3.10.0-957.5.1.el7.x86_64
kernel-tools-3.10.0-957.5.1.el7.x86_64
abrt-addon-kerneloops-2.1.11-52.el7.centos.x86_64
kernel-3.10.0-957.el7.x86_64

#执行脚本查看当前漏洞情况
#[root@CentOS7 ~]# sh cve-2019-11477--2019-06-17-1629.sh

This script (v1.0) is primarily designed to detect CVE-2019-11477 on supported
Red Hat Enterprise Linux systems and kernel packages.
Result may be inaccurate for other RPM based systems.

Running kernel: 3.10.0-957.5.1.el7.x86_64

This system is Vulnerable

* Running kernel is vulnerable

For more information about this vulnerability, see:
https://access.redhat.com/security/vulnerabilities/tcpsack

#更新内核
#[root@CentOS7 ~]# yum update kernel
#[root@CentOS7 ~]# rpm -qa|grep kernel
kernel-3.10.0-957.5.1.el7.x86_64
kernel-3.10.0-957.21.3.el7.x86_64
kernel-headers-3.10.0-957.5.1.el7.x86_64
kernel-devel-3.10.0-957.el7.x86_64
kernel-devel-3.10.0-957.5.1.el7.x86_64
kernel-tools-libs-3.10.0-957.5.1.el7.x86_64
kernel-tools-3.10.0-957.5.1.el7.x86_64
abrt-addon-kerneloops-2.1.11-52.el7.centos.x86_64
kernel-3.10.0-957.el7.x86_64

#升级内核后,再次执行检查情况
#[root@CentOS7 ~]# sh cve-2019-11477--2019-06-17-1629.sh

This script (v1.0) is primarily designed to detect CVE-2019-11477 on supported
Red Hat Enterprise Linux systems and kernel packages.
Result may be inaccurate for other RPM based systems.

Running kernel: 3.10.0-957.5.1.el7.x86_64

This system is Vulnerable

* Running kernel is vulnerable

For more information about this vulnerability, see:
https://access.redhat.com/security/vulnerabilities/tcpsack


#重启机器生效
#[root@CentOS7 ~]# reboot

#重启后检查漏洞情况,当前系统不受影响
#[root@CentOS7 ~]# sh cve-2019-11477--2019-06-17-1629.sh

This script (v1.0) is primarily designed to detect CVE-2019-11477 on supported
Red Hat Enterprise Linux systems and kernel packages.
Result may be inaccurate for other RPM based systems.

Running kernel: 3.10.0-957.21.3.el7.x86_64

This system is Not affected


For more information about this vulnerability, see:
https://access.redhat.com/security/vulnerabilities/tcpsack

    2 修改内核参数修复(临时方法,不用重启机器)

    #[root@CentOS7 ~]# wget https://access.redhat.com/sites/default/files/cve-2019-11477--2019-06-17-1629.sh

#检查当前漏洞情况,当前系统脆弱
[root@CentOS7 ~]# sh cve-2019-11477--2019-06-17-1629.sh

This script (v1.0) is primarily designed to detect CVE-2019-11477 on supported
Red Hat Enterprise Linux systems and kernel packages.
Result may be inaccurate for other RPM based systems.

Running kernel: 3.10.0-957.5.1.el7.x86_64

This system is Vulnerable

* Running kernel is vulnerable

For more information about this vulnerability, see:
https://access.redhat.com/security/vulnerabilities/tcpsack

#修改内核参数
[root@CentOS7 ~]# echo 0 > /proc/sys/net/ipv4/tcp_sack

#检查当前漏洞情况
[root@CentOS7 ~]# sh cve-2019-11477--2019-06-17-1629.sh

This script (v1.0) is primarily designed to detect CVE-2019-11477 on supported
Red Hat Enterprise Linux systems and kernel packages.
Result may be inaccurate for other RPM based systems.

Running kernel: 3.10.0-957.5.1.el7.x86_64

This system is Mitigated

* Running kernel is vulnerable
* sysctl mitigation is applied

For more information about this vulnerability, see:
https://access.redhat.com/security/vulnerabilities/tcpsack

#重启后失效,仅建议临时使用,或写进sysctl.conf配置文件内

    3 建议

    可以先采用临时方法修改内核参数,当前生效。
    然后把内核升级,等可以重启的时候自动就生效了
  • 相关阅读:
    乐字节Java编程语言发展,面向对象和类
    乐字节Java编程之方法、调用、重载、递归
    乐字节Java循环:循环控制和嵌套循环
    乐字节Java反射之四:反射相关操作
    乐字节Java反射之三:方法、数组、类加载器和类的生命周期
    乐字节Java反射之二:实例化对象、接口与父类、修饰符和属性
    乐字节Java反射之一:反射概念与获取反射源头class
    Java变量与数据类型之三:数据类型与转义字符
    数论 N是完全平方数 充分必要条件 N有奇数个约数
    动态规划专题 01背包问题详解 HDU 2546 饭卡
  • 原文地址:https://www.cnblogs.com/wzstudy/p/11058328.html
Copyright © 2020-2023  润新知