FTP / FTPS Transfer Failures after Linux TCP SACK Panic Patch

View some of the Frequently Asked Questions to our support staff. Included are some tips and tricks making this forum ideal for users getting started with GoAnywhere MFT. Note: Users can reply to existing topics but only our support staff can add new topics to this forum.
1 post Page 1 of 1

Support_Tim

Posts: 35
Joined: Mon Dec 01, 2014 10:35 am

Post by Support_Tim » Wed Aug 07, 2019 4:11 pm
GoAnywhere MFT Support has had several customers running on Linux operating system report their FTP(S) transfers were disrupted after installing the Linux TCP SACK Panic security patch. At this time, only upload issues have been encountered. If another upgrade is not yet available to correct this Linux kernel issue, and if the Linux OS vendor has not provided another way to remedy the disruption, you may consider a downgrade to the previous Linux patch version in order to resume FTP transfers. However,

Removing the security patch can allow for continued functionality of GoAnywhere MFT for FTP(S) uploads, but could expose the customer to the associated Linux OS vulnerabilities:

• CVE-2019-11477 TCP SACK PANIC :: CVSSv2 Score 7.8 HIGH :: CVSSv3 Score 7.5 HIGH
https://nvd.nist.gov/vuln/detail/CVE-2019-11477

• CVE-2019-11478 TCP SACK PANIC :: CVSSv2 Score 5.0 MEDIUM :: CVSSv3 Score 7.5 HIGH
https://nvd.nist.gov/vuln/detail/CVE-2019-11478

• CVE-2019-11479 TCP SACK PANIC :: CVSSv2 Score 5.0 MEDIUM :: CVSSv3 Score 7.5 HIGH
https://nvd.nist.gov/vuln/detail/CVE-2019-11479

GoAnywhere does not advise a particular course of action regarding the removal of the Linux security patch. Customers should follow their organizations vulnerability management and change management policies. Certain Linux vendors have provided potential mitigation steps that could be investigated by the customers IT team. Please consult your Linux vendors security advisories:

Red Hat Enterprise Linux TCP SACK PANIC (includes patch information and mitigations):
https://access.redhat.com/security/vuln ... es/tcpsack

Ubuntu SACKPanic (includes patch information and mitigations):
https://wiki.ubuntu.com/SecurityTeam/Kn ... /SACKPanic

SUSE Linux Enterprise Server TCP SACK Denial of Service attacks “SACK Panic” (includes patch information and mitigations):
https://www.suse.com/support/kb/doc/?id=7023928

Oracle Linux CVE-2019-11477, CVE-2019-11478, and CVE-2019-11479:
https://linux.oracle.com/cve/CVE-2019-11477.html
https://linux.oracle.com/cve/CVE-2019-11478.html
https://linux.oracle.com/cve/CVE-2019-11479.html

SANS ISC (third party) Report on mitigation: https://isc.sans.edu/forums/diary/What+ ... nic/25046/

We provide this information as a convenience, as the GoAnywhere development team has confirmed that the problem is beyond the reach of the application, as it is a low-level, Linux kernel code change.

HelpSystems GoAnywhere Support
August 7, 2019
1 post Page 1 of 1