samueloph
commented
2 days ago @elsaco you can refer to https://explore.alas.aws.amazon.com/CVE-2024-6387.html for the Amazon Linux details regarding this CVE.
Closed elsaco closed 2 days ago
samueloph
commented
2 days ago @elsaco you can refer to https://explore.alas.aws.amazon.com/CVE-2024-6387.html for the Amazon Linux details regarding this CVE.
elsaco
commented
2 days ago Fixed in openssh-8.7p1-8.amzn2023.0.11
* Mon Jun 24 2024 Paul Ezvan <paulezva@amazon.fr> - 8.7p1-8.amzn2023.0.11
- Disable interrupt logging.
Throne3d
commented
2 days ago For anyone looking at upgrading Amazon Linux 2023 for this, it seems 2023.5.20240624 (the latest AL2023 version in the documentation as of writing) has openssh 8.7p1-8.amzn2023.0.10, but 2023.5.20240701 seems to be available in AMIs and in the DNF repositories, and that seems to have the updated openssh version, 8.7p1-8.amzn2023.0.11. You should be able to patch your system by performing a dnf upgrade with the given releasever:
$ sudo dnf upgrade --releasever="2023.5.20240701"
...
Downloading Packages:
...
(#/#): openssh-8.7p1-8.amzn2023.0.11.aarch64.rpm
...Make sure to test this out beforehand, reboot to make sure services are updated, etc, as usual for a system upgrade.
stewartsmith
commented
2 days ago Documentation can have some latency, so querying the SSM parameters and available AMIs may get you the new versions before the docs get the update.
Describe the bug Potential remote code execution in OpenSSH server. Details at https://www.cve.org/CVERecord?id=CVE-2024-6387
Additional context Mitigation: Set LoginGraceTime to 0 in /etc/ssh/sshd_config. This makes sshd vulnerable to a denial of service (the exhaustion of all MaxStartups connections), but it makes it safe from this vulnerability. Credit: https://ubuntu.com/security/CVE-2024-6387