![]() THREAT: OpenSSH is the premier connectivity tool for remote login with the SSH protocol. RESULTS: Vulnerable version of OpenSSH Detected: OpenSSH_7.2p2, OpenSSL 1.0.2j-fips Cause More details about supported alternatives available at Red Hat guide.ĮXPLOITABILITY: Qualys Reference: CVE-2020-15778 Description: Github Link: ASSOCIATED MALWARE: There is no malware information for this vulnerability. Upstream, therefore, recommends the use of rsync in the place of scp for better security. ![]() Making changes to how the scp command line works breaks the pattern used by scp consumers. Workaround: As per upstream, because of the way scp is based on a historical protocol called rcp which relies on that style of argument passing and therefore encounters expansion problems. SOLUTION: No solution available from Linux vendors yet. IMPACT: Successful exploitation could disclose sensitive information. Note: Affected version checked till 8.6p1 as per PoC. Times Detected: 53 Last Fixed: N/A QID: 105936ĬVE ID: CVE-2020-15778 Vendor Reference OpenSSH Bugtraq ID:ĬVSS Base: 6.8 CVSS Temporal: 6.1 CVSS3 Base: 7.8 CVSS3 Temporal: 7.0 ![]() Stick with the CentOS version, run `yum update` regularly and get security updates to the installed copy automatically.Qualys is showing the following S3 - OpenSSH Command Injection Vulnerability (Generic) So you'd have to subscribe to the openssh mailing list to get notification that a newer version was out and then repackage it and rebuild it and reinstall it.Īll far too much work. Or you have to package it yourself and install it as an upgrade, in which case, next time there is a security vulnerability in it and Red Hat fix it then you would not get the updated version of 7.4p1 as your installed one would be a higher version. For a start, where would you get it from? No-one supplies a packaged version of this so you would have to build it yourself and if you do that from source and install it then it will overwrite the one we supply and next time there is an upgrade to ours, it will back out your self-built version and maybe render it non-operational (which I guess is 'secure'!). avoid segfault in Kerberos cache cleanup (#1999263)Īnd, no, upgrading to openssh 8.x is not practical or recommended. Please do let us know for any further information.Ĭode: Select all * Thu Dmitry Belyavskiy - 7.4p1-22 + 0.10.3-2 Here is an article from tenable regarding this : To CentOS 7 then please do let us know the best recommended solution to address this issue. Please correct me if I am wrong.Ĭould you please confirm if this is a false-positive and won't applicable for CentOS 7 ? If this is not false-positive and applicable I am sure this may leads to many issues due to incompatibility. So, I don't think this is a best practice method, I mean using openssh package with version 8.x on CentOS version 7 , Tenable is suggesting us to upgrade openssh package version to 8.2 or higher on these machines.īut, I am sure Red Hat/CentOS 7 started shipping this openssh version 8.x from RHEL/CentOS 8 only. Recent scan(by tenable) on the servers found a vulnerability with Current openssh version.Ĭurrent version of openssh package is 7.4p1, please find the below information: In our infra we're having the servers installed with CentOS 7.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |