Implement the workaround for CVE-2019-11477, CVE-2019-11478, and CVE-2019-11479
On each vRealize Orchestrator Virtual Appliance in the cluster run these commands
iptables -I INPUT -p tcp --tcp-flags SYN SYN -m tcpmss --mss 1:500 -j DROP
ip6tables -I INPUT -p tcp --tcp-flags SYN SYN -m tcpmss --mss 1:500 -j DROP
Note: To make the workaround persistent, edit /etc/bootstrap/everyboot.d/02-iptables and add the lines above.
Confirm that the workaround for CVE-2019-11477, CVE-2019-11478, and CVE-2019-11479
On each vRealize Orchestrator Virtual Appliance in the cluster, run these commands:
iptables -L | grep tcpmss
ip6tables -L | grep tcpmss
Remove the workaround for CVE-2019-11477, CVE-2019-11478, and CVE-2019-11479
On each vRealize Orchestrator Virtual Appliance in the cluster, run these commands:
iptables -D INPUT -p tcp --tcp-flags SYN SYN -m tcpmss --mss 1:500 -j DROP
ip6tables -D INPUT -p tcp --tcp-flags SYN SYN -m tcpmss --mss 1:500 -j DROP
Note: If the workaround was made persistent, edit /etc/bootstrap/everyboot.d/02-iptables and remove the lines above.
For up-to-date information on CVE-2019-11477, CVE-2019-11478, and CVE-2019-11479 as well as future security information please add your email address to the
Sign up for Security Advisories window found in
VMSA-2019-0010.