To implement the workaround for CVE-2019-11477, CVE-2019-11478, and CVE-2019-11479 perform the following steps:
- Login to each vRealize Automation Virtual Appliance in the cluster as root via SSH or Console.
- Run the following commands:
iptables -I INPUT -p tcp --tcp-flags SYN SYN -m tcpmss --mss 1:500 -j DROP
ip6tables -I INPUT -p tcp --tcp-flags SYN SYN -m tcpmss --mss 1:500 -j DROP
Note: To make the workaround persistent, edit /etc/bootstrap/everyboot.d/02-iptables and add the lines above.
To confirm that the workaround for CVE-2019-11477, CVE-2019-11478, and CVE-2019-11479 has been correctly applied perform the following steps:
Run the following commands on each vRealize Automation Virtual Appliance in the cluster:
iptables -L | grep tcpmss
ip6tables -L | grep tcpmssTo remove the workaround for CVE-2019-11477, CVE-2019-11478, and CVE-2019-11479 at a later time perform the following steps:
iptables -D INPUT -p tcp --tcp-flags SYN SYN -m tcpmss --mss 1:500 -j DROP
ip6tables -D INPUT -p tcp --tcp-flags SYN SYN -m tcpmss --mss 1:500 -j DROPNote: If the workaround was made persistent, edit
/etc/bootstrap/everyboot.d/02-iptables and remove the lines above.
For up-to-date information on CVE-2019-11477, CVE-2019-11478, and CVE-2019-11479 as well as future security information please add your email address to the "Sign up for Security Advisories" window found in
VMSA-2019-0010 .