Linux kernel TCP vulnerability


We are aware of a denial of service vulnerability that is affecting the kernel of many Linux distributions, including Ubuntu 16.04 LTS machines, named SegmentSmack CVE-2018-5390. The TCP implementation in the Linux kernel makes the system vulnerable to a denial of service if several 1-byte sized segments are sent to the system over an open TCP connection, the system will become unresponsive with 100% CPU utilization. You can read more about this vulnerability on the CERT/CC website and in the Ubuntu security notes blog .

As a result, we recommend that you immediately patch the nodes in your Service Fabric Linux clusters. You have the following options:

  1. Automatically patch your cluster’s nodes using the Patch Orchestration Application (POA) – The POA is a Service Fabric application available for automating OS patching on Ubuntu clusters without downtime (through a monitored rolling upgrade). Refer to this article on how to go about downloading and installing this app on your Service Fabric cluster.
  2. Upgrade your VMSS OS Image through an ARM Upgrade
    1. Update your OS image using the latest OS version – if you are using image version "latest" you can use VMSS OSRollingUpgrade command to reapply the latest image. See
      https://docs.microsoft.com/en-us/rest/api/compute/virtualmachinescalesetrollingupgrades/startosupgrade for further details.
    2. Update your OS Image for a VMSS bound to a specific version - You can modify your arm template or update your VMSS definition.
"storageProfile": {
       "imageReference": {
              "publisher": "Canonical",
              "offer": "UbuntuServer",
              "sku": "16.04-LTS",
              "version": "latest"
         },

For the “version” that you choose, you can either set it to latest to receive the most up-to-date patches or you can use the explicit version 16.04.201808060 (which includes the kernel version 4.15.0-1019 that contains the fix).

  1. Manually patch your cluster’s nodes – you can manually follow the steps that the POA takes to upgrade your nodes on a per node or per upgrade domain basis. Here are the steps you should take to patch your nodes manually:
    1. Check for health of the cluster before patch
    2. Disable a node OR multiple nodes belonging to same upgrade domain – this is to gracefully transfer workloads from nodes going down for the patch to other nodes in the cluster.
      You can do this via SFX, PowerShell, or through sfctl (“sfctl node disable --node-name <node_name> --deactivation_intent restart”)
    3. Wait for node(s) to be in “Disabled” state – this step may take a while based on what is running on the node(s)
    4. Run these steps to install patches on the node(s):
      1. pull the latest patches: sudo apt-get update
      2. install the latest patches:  sudo apt-get dist-upgrade
      3. restart the node (needed for kernel upgrades to go through)
    5. Once the node is back up, Enable the nodes in Service Fabric. You can do this through SFX, PowerShell, or sfctl (“sfctl node enable --node-name <node_name>”)
    6. Check for changes in health status changes once the node is back online by comparing with the health observed in step 1
    7. If there are no changes, continue rolling out the upgrade to the next node / set of nodes

Please feel free to reach out to Azure Support if you are running into any issues with these options.


Comments (2)

  1. Typo in the title, folks! “Kernal”

Skip to main content