Power

 View Only

  • 1.  OpenSSH < 10.3 Multiple Vulnerabilities

    Posted 6 days ago

    The SOS system has alerted that the OpenSSH service on the AIX server needs to be upgraded to version 10.3(current version is 9.9).  Have any update plans? The vulnerability due date is May 18th.



    ------------------------------
    De Quan Qu
    ------------------------------


  • 2.  RE: OpenSSH < 10.3 Multiple Vulnerabilities

    Posted 5 days ago

    I strongly recommend you open an "Idea" at https://ibm-power-systems.ideas.ibm.com/ideas 

    IBM's normal method of operations is that some CVE reports an exploit with SSH.  The open source community comes out with a new update of SSH (example 10.3.1 to 10.3.2 or some such thing).  IBM tends to remain at the older SSH, finds how to fix the CVE while remaining at that old version of SSH.  You rerun the scan and you still get dinged because they only report that you are at the old version of SSH.  

    It's unreasonable to expect the scanning companies to truly test if you are exposed to the CVE still.  For example, if the CVE states it leaves your system open to getting your disks initialized or you get response times measurable with a calendar do you really want them unleashing that hell on your company?

    I have opened numerous Ideas.  Some of them dealing specifically with upgrading the SSH versions on specific pieces of equipment.  Some of these are at the most current versions offered by IBM and yet they're still running level 6 of SSH.



    ------------------------------
    Robert Berendt IBMChampion
    Business Systems Analyst, Lead
    Dekko
    Fort Wayne
    ------------------------------

    Original Message


Related Content