openssh vulnerability
I am running openssh-server-5.3p1-20.el6.x86_64 and our vulnerability scan shows this as a problem. Where can I find an rpm later than this from red hat that doesn't have this vulnerability?
Responses
Red Hat
Guru
3719 points
With the meagre info you provided, I can only tell that you're running RHEL6 and that you don't have the latest version that Red Hat provides. As of this moment, the latest version available in the standard channels is openssh-server-5.3p1-84.1.el6.
If you want any more help than that, you'll need to actually share the relevant CVE numbers your scanner reported. ... Or else look them up yourself in our constantly-updated CVE Database (found under the Security tab of the Customer Portal).
Red Hat
Guru
7257 points
Hi there Robin!
Could we maybe tackle this from a different angle?
Looking at the CVEs reported in your support case:
- Two of the vulnerabilities do not apply to ssh as-shipped with RHEL6.
- One vulnerability relates to TCP slot exhaustion. This could be addressed at a firewall level (either locally with an iptables ratelimit, or at the network level)
- One vulnerability applies to gssapi-with-mic authentication. This can usually just be disabled.
- The last vulnerability describes the ability of already-authenticated users to consume resources via sftp. If all you need is remote login shells, sftp functionality could possibly be disabled as well. Considering this last one comes from users who you've already given permission to access your ssh server, the risk of actually suffering an attack because of this bug may be very minimal.
What I'm hoping to show is that you have options other than just upgrading the software version. You may be able to prevent a possible attack elsewhere in your environment, you may be able to turn off vulnerable functionality which you're not using anyway, you may just assess your risk to suffering from these attacks and determine your business is so unlikely to be attacked by a known-authenticated user that it's not actually a risk at all. This would depend who's actually allowed to log into your ssh server.
Upgrading the software from our supported version, which has gone through all the Red Hat testing and certification and stability work, and replacing that with upstream software which has seen none of that development effort, is arguably a risk for your business as well. Third-party software is also not covered by our technical support, so if you faced issues with an upstream software version, you'd need to rely on the community for assistance. Many upstream communities are great, but they have no concept of issue ownership or severity or response time or any of the other advantages that you get from your support entitlement.
Hopefully this can help you make a case responding to the security scan, to provide to your management, showing that you've either worked around the security issues or that a very low risk of known users attacking you is better than an unknown risk of running software not from Red Hat.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.