[BlueOnyx:20930] OpenSSH and PCI on 5208R
Jim Matysek
matysekj at usms.org
Thu Apr 20 09:56:39 -05 2017
We are trying to pass a PCI compliance scan through TrustWave on a
BlueOnyx 5208R VPS (SL version) running on Aventurin{e}. They are
complaining about the version of OpenSSH on the box. Of the 9 complaints
they have, I believe I've found documentation proving that the
openssh-5.3p1-122.el6 version that we run is sufficiently patched to fix
those issues or that those issues don't apply to our version -- all
except for one issue.
Has anyone gone through this or know enough about it to give me a hint
on CVE-2016-10012?
(https://access.redhat.com/security/cve/CVE-2016-10012,
https://nvd.nist.gov/vuln/detail/CVE-2016-10012)? From poking around, it
sounds like Red Hat is saying that they don't have plans to fix this one
because they see it as a lower priority item because your server would
first have to be compromised through some other method before an
attacker even being able to get to the point of exploiting this
vulnerability. I don't think that explanation will fly with Trustwave,
so we would not get a passing status. Does anyone know more about this
issue and a way to get through a scan or a successful way to challenge
this finding?
Going out on a limb, is there a remote chance of getting openssh 7.4 on
this server that is still running 5208R, or would the only way to get to
that version be doing a full update to 5209R? I'm trying to avoid that.
-jim
More information about the Blueonyx
mailing list