[BlueOnyx:27052] Re: PCI problem with OpenSSH

Taco Scargo taco at blueonyx.nl
Fri Jun 14 03:24:58 -05 2024 

Sorry, see Michael was 2 mins earlier :)
But you are safe!

> On 14 Jun 2024, at 10:23, Taco Scargo <taco at blueonyx.nl> wrote:
> 
> Hi Michael,
> 
> Check if you have openssh-8.0p1-24.el8.x86_64 installed.
> This is the RH version of the OpenSSH package that includes the fix.
> See: https://access.redhat.com/errata/RHSA-2024:3166
> 
> Best regards,
> 
> Taco Scargo
> 
>> On 14 Jun 2024, at 09:08, Michael Aronoff via Blueonyx <blueonyx at mail.blueonyx.it> wrote:
>> 
>> I have a server that needs to pass a PCI Compliance scan. It passes everything except an issue with OpenSSH that I am not sure how to mitigate.
>> 
>> The results show that the CVE ID is CVE-2020-15778
>> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15778
>> 
>> The threat description is:
>> 
>> OpenSSH (OpenBSD Secure Shell) is a set of computer programs providing encrypted communication sessions over a computer network using the SSH protocol.
>> 
>> OpenSSH contains the following vulnerabilities:
>> OpenSSH through 8.3p1 allows command injection in the scp.c toremote function, as demonstrated by backtick characters in the destination argument. NOTE: the vendor reportedly has stated that they intentionally omit validation of "anomalous argument transfers" because that could "stand a great chance of breaking existing workflows. Affected Versions:
>> OpenSSH versions prior to 8.3
>> 
>> Anyone know if this can be fixed on a 5210R so it passes PCI Compliance?
>> 
>> Thanks, 
>> ________________________________
>> M Aronoff Out – maronoff at gmail.com <mailto:maronoff at gmail.com> 
>>  
>> I'm a great believer in luck, and I find 
>> the harder I work the more I have of it.
>>   - Thomas Jefferson
>> 
>> _______________________________________________
>> Blueonyx mailing list
>> Blueonyx at mail.blueonyx.it <mailto:Blueonyx at mail.blueonyx.it>
>> http://mail.blueonyx.it/mailman/listinfo/blueonyx
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20240614/983e3376/attachment.html>

More information about the Blueonyx mailing list