Closed elsaco closed 2 days ago
@elsaco you can refer to https://explore.alas.aws.amazon.com/CVE-2024-6387.html for the Amazon Linux details regarding this CVE.
Fixed in openssh-8.7p1-8.amzn2023.0.11
* Mon Jun 24 2024 Paul Ezvan <paulezva@amazon.fr> - 8.7p1-8.amzn2023.0.11
- Disable interrupt logging.
For anyone looking at upgrading Amazon Linux 2023 for this, it seems 2023.5.20240624
(the latest AL2023 version in the documentation as of writing) has openssh 8.7p1-8.amzn2023.0.10
, but 2023.5.20240701
seems to be available in AMIs and in the DNF repositories, and that seems to have the updated openssh version, 8.7p1-8.amzn2023.0.11
. You should be able to patch your system by performing a dnf upgrade
with the given releasever:
$ sudo dnf upgrade --releasever="2023.5.20240701"
...
Downloading Packages:
...
(#/#): openssh-8.7p1-8.amzn2023.0.11.aarch64.rpm
...
Make sure to test this out beforehand, reboot to make sure services are updated, etc, as usual for a system upgrade.
Documentation can have some latency, so querying the SSM parameters and available AMIs may get you the new versions before the docs get the update.
Describe the bug Potential remote code execution in OpenSSH server. Details at https://www.cve.org/CVERecord?id=CVE-2024-6387
Additional context Mitigation: Set LoginGraceTime to 0 in /etc/ssh/sshd_config. This makes sshd vulnerable to a denial of service (the exhaustion of all MaxStartups connections), but it makes it safe from this vulnerability. Credit: https://ubuntu.com/security/CVE-2024-6387