CVE-2019-11477 and CVE-2019-11478 have been determined to affect all versions of Unified Access Gateway (and Access Point) up to and including version 3.5. These vulnerabilities, their impact on VMware products, and VMware’s overall response is documented in VMSA-2019-0010. Please review this advisory before continuing as there may be considerations outside the scope of this particular document including permanent solutions.
The Unified Access Gateway team has determined that the aforementioned issues can be mitigated by performing the steps detailed in the resolution section of this article. This workaround is meant to be a temporary solution only, remediation is included in UAG 3.6.

For process to deploy and configuration, see: How to deploy & Configure VMware Unified Access Gateway for Horizon

To implement the workaround for CVE-2019-11477 and CVE-2019-11478. perform the following steps:

1. Login to the UAG console shell using the root admin account.
2. Verify TCP SACK is enabled by checking net.ipv4.tcp_sack = 1: 
   
   sysctl -a | grep tcp_sack
    
3. To disable TCP SACK:
   
   sysctl -w net.ipv4.tcp_sack=0
    

No reboot is required for the setting to take effect, however it is also required to ensure that TCP SACK does not get re-enabled after reboot.  You can confirm by running the following command after a reboot:

echo net.ipv4.tcp_sack=0 >>/etc/sysctl.d/99-sysctl.conf

For up-to-date information on CVE-2019-11477 and CVE-2019-11478 as well as future security information please add your email address to the "Sign up for Security Advisories" window found in VMSA-2019-0010.

Impact/Risks:
Warning
This workaround is applicable ONLY to Unified Access Gateway (and Access Point). Do not apply this workaround to other VMware products.

Functionality Impacts
Disabling TCP SACK on Unified Access Gateway may reduce performance in case of TCP packet loss. This feature is only an optimization and disabling this is not expected to have any significant impact for the use cases for UAG.