openssh 7.5

Latest response

During a recent security scan on our network, I took hits for having vulnerable openssh packages installed on my RHEL 7.4 servers.

The description from Tenable is: https://www.tenable.com/pvs-plugins/700019

The solution is to install openssh 7.5 or better but I don't see it available in the RHEL package browser.

Is the RHEL openssh 7.4 version affected by the directory traversal exploit explained above?

Will we see a 7.5 version soon if so?

Thanks for any insight.

R,
Aaron

M&S IT Sys Admin's picture

Responses

Hi Aaron,

As openssh is one of those packages being important for the security of server infrastructures, it gets updated frequently.
From my experience I can tell you that Red Hat Is extremely concerned about security, you can expect the new version soon.
The time it takes until it will be released depends on importance and severity of the security issue and, if RHEL is vulnerable.

Regards,
Christian

This issue only affects OpenSSH Portable's sftp-client when executed on Cygwin, so RHEL or any other Linux distribution is not affected:

https://github.com/openssh/openssh-portable/commit/89f04852

Thank you for the clarification.
Now to get our ACAS folks to understand it like that.

R, Aaron

Sounds like your ACAS folks haven't properly/fully set up their ACAS frameworks. Properly set up, ACAS will cross-reference generic CVEs against the vendor-specific database that applies to the scan-target. When so set up, if you've installed the appropriate vendor package-versions - or if the CVE is a "does not apply to platform" - ACAS will greenlight your config (at least for that CVE).

If your ACAS folks haven't configured their scanning system to do that, you may have more to overcome than simply explaining why this particular CVE does not apply. Good luck.

Was this helpful?

We appreciate your feedback. Leave a comment if you would like to provide more detail.
It looks like we have some work to do. Leave a comment to let us know how we could improve.
Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.