I am getting dinged about CVE-2023-51385 from Qualys.
AIX has this notice: https://www.ibm.com/support/pages/node/7125640
Now, IBM may or may not have done a dandy job of stopping the vulnerability. However if they just patch an existing version of OpenSSH and do not go to a higher level of OpenSSH it doesn't make a difference as far as the scanning services go. All they do is check your current version of OpenSSH and if you are not on a certain minimum level then they assume that you are still susceptible to the vulnerability. I do not fault the scanning services. After all, if the vulnerability was that an exploit will cause your system to overheat and shutdown do you really want them to see if that occurs? So if the general belief for this CVE is that you need to be on 9.6 or higher of OpenSSH then any amount of patching that IBM does to some 8.1 version is not going to pass scanning.
So, after all that patching I still am seeing:
lslpp -L | grep -i openssh.base.client
openssh.base.client 8.1.112.2000 CE F Open Secure Shell Command
ssh -vvv somelocation
OpenSSH_8.1p1, OpenSSL 1.1.1v 1 Aug 2023
Then I'm just not going to pass scanning, right?
------------------------------
Robert Berendt IBMChampion
------------------------------