New OpenSSH vulnerability (CVE-2024-6387) which allows Unauthenticated Code Execution was found: https://blog.qualys.com/vulnerabilities-threat-research/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server . While VHI versions 5.x are not affected, the versions 6.0, 6.1 and 6.2 require updating to fix the issue.
Virtuozzo has delivered 3 hotfixes that close the vulnerability for each affected version. For more details and installation guidelines check the following release notes:
- For VHI 6.2 - https://docs.virtuozzo.com/virtuozzo_advisory_archive/virtuozzo-hybrid-infrastructure/VZA-2024-027.html
- For VHI 6.1 - https://docs.virtuozzo.com/virtuozzo_advisory_archive/virtuozzo-hybrid-infrastructure/VZA-2024-026.html
- For VHI 6.0 - https://docs.virtuozzo.com/virtuozzo_advisory_archive/virtuozzo-hybrid-infrastructure/VZA-2024-025.html
Alternative option. Updating packets individually.
Though we encourage all customers to install the full VHI update – in case it’s not possible you can install individual packets manually. Please follow the guidance below:
Check which openssh packages are installed
# rpm -qa | grep openssh
a. Such packages are installed by default (they can have different versions, so we will mention them here as <package_name-xxx>)
openssh-xxx
openssh-clients-xxx
openssh-server-xxx
Use the following command to update the packages to the new version, which contains the fix
# yum -y update openssh openssh-clients openssh-server
b. You may also have additional packages installed such as the following
openssh-keycat-xxx
In this case, add these packages to the initial update command like this
# yum -y update openssh openssh-clients openssh-server openssh-keycat
KINDLY ASK YOU NOT TO INSTALL ANY ADDITIONAL PACKAGES IF THEY WERE NOT PRESENT IN THE CLUSTER INITIALLY. UPDATE ONLY THE ALREADY INSTALLED PACKAGES.
Finally, after updating the packages check the packages new version and confirm it is the following or higher
8.7p1-38.3.vl9.x86_64
If you have any issues with these actions kindly ask you to immediately create a Support ticket with an explanation of the issue.