Kernel update: Virtuozzo ReadyKernel patch 82.2 for Virtuozzo 7.0.8 HF1 and 7.0.10 HF1

Issue date: 2019-06-27

Applies to: Virtuozzo 7.0

Virtuozzo Advisory ID: VZA-2019-053

1. Overview

The fixes for CVE-2019-11477 and CVE-2019-11478 released in the ReadyKernel patch 82.0 turned out to cause network-related issues. These fixes are removed in this ReadyKernel patch for the kernels 3.10.0-862.11.6.vz7.64.7 (Virtuozzo 7.0.8 HF1) and 3.10.0-957.12.2.vz7.86.2 (Virtuozzo 7.0.10 HF1). Until the issues with the kernel fixes are resolved, you may consider other mitigations for CVE-2019-11477 and CVE-2019-11478, outlined in the referred link: either to disable selective acknowledgments system-wide for TCP connections, or to use iptables to drop connections with an MSS size that may allow to exploit the vulnerability. In addition, the patch fixes a stability issue.

2. Bug Fixes

  • It was possible that two or more versions of ReadyKernel patches for the same kernel were installed and loaded at the same time. This could lead to kernel crashes. (PSBM-95718)

3. Installing the Update

Download, install, and immediately apply the patch to the current kernel by running ‘readykernel update’.

4. References

The JSON file with the list of new and updated packages is available at https://docs.virtuozzo.com/vza/VZA-2019-053.json.