dz_ny

OpenSSH security vulerability

Blog Post created by dz_ny Expert on Jun 3, 2016

openSSH security vulnerability is a false positive. The SUSE developers develop their own patches and have their own numbered. In their numbering, OpenSSH was patched for CVE's 2015-5352, -5600, and -6564 as of version 6.2p2-0.17.1. According to the SUSE analysis at https://www.suse.com/security/cve/CVE-2015-6565.html, CVE-2015-6565 fixes a bug that appears only in OpenSSH 6.8 and 6.9 and does not affect the older base version used in openSUSE.

The OVA 5.4 (and higher) has openssh-6.6p1-5.3.1.x86_64. This is documented (http://www.rpmfind.net/linux/RPM/opensuse/updates/leap/42.1/oss/x86_64/openssh-6.6p1-8.1.x86_64.html) to contain fixes for CVE's 2015-5352, 2015-5600, and 2015-6564. The statement about 2015-6565 still applies.

Most scanner is only checking the version and not actually testing for the vulnerability.

 

If you still prefer to disable SSH, open VMTurbo console:  service sshd stop

Outcomes