HPE Community
Operating System - HP-UX
1819872 Members
2737 Online
109607 Solutions
New Discussion

OpenSSH Command Injection Vulnerability

 
DjRg
New Member

‎12-05-2023 11:24 AM

‎12-05-2023 11:24 AM

OpenSSH Command Injection Vulnerability

I had a review and I got the following problem

Has anyone had this problem and if so, how did they solve it?

 
"OpenSSH (OpenBSD Secure Shell) is a set of computer programs providing encrypted communication sessions over a computer network using the SSH protocol.
OpenSSH contains the following vulnerabilities:
 
OpenSSH through 8.3p1 allows command injection in the scp.c toremote function, as demonstrated by backtick characters in the destination argument. NOTE: the vendor reportedly has stated that they intentionally omit validation of "anomalous argument transfers" because that could "stand a great chance of breaking existing workflows.
 
Affected Versions:
OpenSSH versions prior to 8.3
 
Customers are advised to upgrade to OpenSSH 8.3 (https://www.openssh.com/) or later to remediate these vulnerabilities.
Patch:
Following are links for downloading patches to fix the vulnerabilities:
QID Detection Logic:
This unauthenticated detection works by reviewing the version of the OpenSSH service.
 
Vulnerable SSH-2.0-OpenSSH_8.0 PKIX[Portable] detected on port 22 over TCP."
 
 
0 Kudos
Reply
1 REPLY 1
georgek_1
HPE Pro

‎12-20-2023 03:26 AM

‎12-20-2023 03:26 AM

Re: OpenSSH Command Injection Vulnerability

Hello DjRg,

As per the infromation shared, you need to udate OpenSSH 8.3 (https://www.openssh.com/) or later to remediate these vulnerabilities.

I work for HPE/ I am an HPE Employee (HPE Community)



I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.