1 直接升級內核修復(需重啟機器)
#下載漏洞檢測腳本
#[root@CentOS7 ~]# wget https://access.redhat.com/sites/default/files/cve-2019-11477--2019-06-17-1629.sh
#[root@CentOS7 ~]# ll
總用量 36
-rw-------. 1 root root 1608 3月 19 09:44 anaconda-ks.cfg
-rw-r--r-- 1 root root 28701 6月 18 01:00 cve-2019-11477--2019-06-17-1629.sh
#查看當前內核
[root@CentOS7 ~]# rpm -qa|grep kernel
kernel-3.10.0-957.5.1.el7.x86_64
kernel-headers-3.10.0-957.5.1.el7.x86_64
kernel-devel-3.10.0-957.el7.x86_64
kernel-devel-3.10.0-957.5.1.el7.x86_64
kernel-tools-libs-3.10.0-957.5.1.el7.x86_64
kernel-tools-3.10.0-957.5.1.el7.x86_64
abrt-addon-kerneloops-2.1.11-52.el7.centos.x86_64
kernel-3.10.0-957.el7.x86_64
#執行腳本查看當前漏洞情況
#[root@CentOS7 ~]# sh cve-2019-11477--2019-06-17-1629.sh
This script (v1.0) is primarily designed to detect CVE-2019-11477 on supported
Red Hat Enterprise Linux systems and kernel packages.
Result may be inaccurate for other RPM based systems.
Running kernel: 3.10.0-957.5.1.el7.x86_64
This system is Vulnerable
* Running kernel is vulnerable
For more information about this vulnerability, see:
https://access.redhat.com/security/vulnerabilities/tcpsack
#更新內核
#[root@CentOS7 ~]# yum update kernel
#[root@CentOS7 ~]# rpm -qa|grep kernel
kernel-3.10.0-957.5.1.el7.x86_64
kernel-3.10.0-957.21.3.el7.x86_64
kernel-headers-3.10.0-957.5.1.el7.x86_64
kernel-devel-3.10.0-957.el7.x86_64
kernel-devel-3.10.0-957.5.1.el7.x86_64
kernel-tools-libs-3.10.0-957.5.1.el7.x86_64
kernel-tools-3.10.0-957.5.1.el7.x86_64
abrt-addon-kerneloops-2.1.11-52.el7.centos.x86_64
kernel-3.10.0-957.el7.x86_64
#升級內核后,再次執行檢查情況
#[root@CentOS7 ~]# sh cve-2019-11477--2019-06-17-1629.sh
This script (v1.0) is primarily designed to detect CVE-2019-11477 on supported
Red Hat Enterprise Linux systems and kernel packages.
Result may be inaccurate for other RPM based systems.
Running kernel: 3.10.0-957.5.1.el7.x86_64
This system is Vulnerable
* Running kernel is vulnerable
For more information about this vulnerability, see:
https://access.redhat.com/security/vulnerabilities/tcpsack
#重啟機器生效
#[root@CentOS7 ~]# reboot
#重啟后檢查漏洞情況,當前系統不受影響
#[root@CentOS7 ~]# sh cve-2019-11477--2019-06-17-1629.sh
This script (v1.0) is primarily designed to detect CVE-2019-11477 on supported
Red Hat Enterprise Linux systems and kernel packages.
Result may be inaccurate for other RPM based systems.
Running kernel: 3.10.0-957.21.3.el7.x86_64
This system is Not affected
For more information about this vulnerability, see:
https://access.redhat.com/security/vulnerabilities/tcpsack
2 修改內核參數修復(臨時方法,不用重啟機器)
#[root@CentOS7 ~]# wget https://access.redhat.com/sites/default/files/cve-2019-11477--2019-06-17-1629.sh
#檢查當前漏洞情況,當前系統脆弱
[root@CentOS7 ~]# sh cve-2019-11477--2019-06-17-1629.sh
This script (v1.0) is primarily designed to detect CVE-2019-11477 on supported
Red Hat Enterprise Linux systems and kernel packages.
Result may be inaccurate for other RPM based systems.
Running kernel: 3.10.0-957.5.1.el7.x86_64
This system is Vulnerable
* Running kernel is vulnerable
For more information about this vulnerability, see:
https://access.redhat.com/security/vulnerabilities/tcpsack
#修改內核參數
[root@CentOS7 ~]# echo 0 > /proc/sys/net/ipv4/tcp_sack
#檢查當前漏洞情況
[root@CentOS7 ~]# sh cve-2019-11477--2019-06-17-1629.sh
This script (v1.0) is primarily designed to detect CVE-2019-11477 on supported
Red Hat Enterprise Linux systems and kernel packages.
Result may be inaccurate for other RPM based systems.
Running kernel: 3.10.0-957.5.1.el7.x86_64
This system is Mitigated
* Running kernel is vulnerable
* sysctl mitigation is applied
For more information about this vulnerability, see:
https://access.redhat.com/security/vulnerabilities/tcpsack
#重啟后失效,僅建議臨時使用,或寫進sysctl.conf配置文件內
3 建議
可以先采用臨時方法修改內核參數,當前生效。
然后把內核升級,等可以重啟的時候自動就生效了
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
