View Only

AIX vs CVE-2023-51385 vs Qualys (and other scanning software/services)

  • 1.  AIX vs CVE-2023-51385 vs Qualys (and other scanning software/services)

    IBM Champion
    Posted Tue April 16, 2024 04:16 PM

    I am getting dinged about CVE-2023-51385 from Qualys.

    AIX has this notice:  https://www.ibm.com/support/pages/node/7125640

    Now, IBM may or may not have done a dandy job of stopping the vulnerability.  However if they just patch an existing version of OpenSSH and do not go to a higher level of OpenSSH it doesn't make a difference as far as the scanning services go.  All they do is check your current version of OpenSSH and if you are not on a certain minimum level then they assume that you are still susceptible to the vulnerability.  I do not fault the scanning services.  After all, if the vulnerability was that an exploit will cause your system to overheat and shutdown do you really want them to see if that occurs?  So if the general belief for this CVE is that you need to be on 9.6 or higher of OpenSSH then any amount of patching that IBM does to some 8.1 version is not going to pass scanning.

    So, after all that patching I still am seeing:

    lslpp -L | grep -i openssh.base.client
      openssh.base.client    CE    F    Open Secure Shell Command

     ssh -vvv somelocation
    OpenSSH_8.1p1, OpenSSL 1.1.1v  1 Aug 2023

    Then I'm just not going to pass scanning, right?

    Robert Berendt IBMChampion