Three related flaws were found in the Linux kernel’s handling of TCP networking. The issues have been assigned multiple CVEs: CVE-2019-11477 , CVE-2019-11478 and CVE-2019-11479.
The most severe of the three vulnerabilities known as SACK Panic CVE-2019-11477 could allow a remote attacker to trigger a kernel panic in systems running the affected software and, as a result, impact the system’s availability. CVE-2019-11478 and CVE-2019-11479, while less severe could still lead to a potential resource exhaustion on affected systems.
These issues are corrected either through applying mitigations or Linux kernel patches. Patches are released for CVE-2019-11477 and CVE-2019-11478. The vulnerability described in CVE-2019-1149 is primarily due to the TCP specifications not defining a minimum value for the Minimum Segment Size (MSS).
The option to set the Minimum Segment Size has been added to Linux upstream and is distributed downstream available in most recent versions. Note that limitations to MSS cannot be applied automatically and must be made on a case-by-case basis because it may break valid TCP connections.
Western Digital incorporated these kernel patches and the ability to set the MSS in software patches.
For mitigations, contact Western Digital support by calling or submitting a support ticket request.