Security Advisory: Patching Azure HDInsight clusters to address Linux Kernel TCP vulnerabilities
Updated: 27 June, 2019
Microsoft Azure is aware of three critical vulnerabilities that affect the Linux kernel: (CVE-2019-11477, CVE-2019-11478, CVE-2019-11479). An updated image, with patches for the above vulnerabilities, for HDInsight clusters is now available.
- No further action is needed for clusters that were created after 24 June 2019. These clusters have picked up the patched images.
- For clusters created prior to 24 June 2019, you will need to reboot the VMs in the cluster at your convenience.
- Reboot all of the VMs at the same time: Please use this script (kernel-patch-and-reboot.sh) as a persisted customised script action.
- Reboot VMs in a staggered manner: Please use (HDInsight OS patching) to schedule the reboot of VMs in a staggered manner across a 24-hour window. If you are using scaling feature to scale up the size of the cluster including using Autoscale capability, please use this script (kernel-patch-and-reboot.sh) as a persisted customised script action for the patch to be applied on the scaled up VMs.
Please contact Azure Support in case you encounter any issues.