Security Advisory: Patching Azure HDInsight clusters to address Linux Kernel TCP vulnerabilities

Posted on Wednesday, June 26, 2019

Microsoft Azure is aware of 3 critical vulnerabilities that affect the Linux kernel: (CVE-2019-11477CVE-2019-11478CVE-2019-11479). An updated image, with patches for the above vulnerabilities, for HDInsight clusters is now available.

  1. No further action is needed for clusters that were created after June 24th, 2019. These clusters have picked up the patched images.
  2. For clusters created prior to June 24th,2019, you will need to reboot the VMs in the cluster at your convenience.
    1. Reboot all the VMs at the same time: Please use this script (kernel-patch-and-reboot.sh) as a persisted customized script action.
    2. Reboot VMs in a staggered manner: Please use (HDInsight OS patching) to schedule the reboot of VMs in a staggered manner across a 24-hour window. If you are using scaling feature to scale up the size of the cluster including using Autoscale capability, please use this script (kernel-patch-and-reboot.sh) as a persisted customized script action for the patch to be applied on the scaled up VMs.

 

Please contact Azure Support in case you encounter any issues.

  • HDInsight
  • Security