Vulnerability question DCE 7.7

DCIM_Support · ‎2020-07-05

Hi team,

Customer had the following question:

This vulnerability was identified because (1) jQuery 1.11.1 has reached its end-of-life and is no longer supported by the vendor, consider upgrading to a newer supported version

OpenSSH: Brute-Force Authentication Protection Bypass Vulnerability

OpenSSH: Untrusted Search Path Vulnerability

OpenSSH: Shared Memory Manager Privilege Escalation Vulnerability

OpenSSH: Password Length Limitation Denial of Service Vulnerability

OpenSSH: Security Bypass Vulnerability

The above is solved in OpenSSH version 7.9p1 or higher,

What version do we have in DCE 7.7

DCIM_Support · ‎2020-07-05

Hi Cees de Vogel,

Security scan results are listed here: https://sxwhelpcenter.ecostruxureit.com/display/UADCE725/Security+fixes+in+StruxureWare+Data+Center+...

CVE-2015-5600 and CVE-2016-1908 are included, the others are not. Engineering will have to search prior scan results to give you a definite answer.

Best,

Jackie

See Answer In Context

DCIM_Support · ‎2020-07-05

Hi Cees,

When I queried sshd in DCE 7.7.0, it returned:

OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013

Can you please provide a link to a web site or CVE showing the reported vulnerability to which you are referring?

Thanks,

Steve

DCIM_Support · ‎2020-07-05

Hi Steve,

Here the requested CVE information:

OpenSSH: Brute-Force Authentication Protection Bypass Vulnerability

CVE-2015-5600

OpenSSH: Untrusted Search Path Vulnerability

CVE-2016-10009

OpenSSH: Shared Memory Manager Privilege Escalation Vulnerability

CVE-2016-10012

OpenSSH: Password Length Limitation Denial of Service Vulnerability

CVE-2016-6515

OpenSSH: Security Bypass Vulnerability

CVE-2016-1908

BR

Cees

DCIM_Support · ‎2020-07-05

Thanks...I'll see if I can find anything from the engineering teams.

Steve

DCIM_Support · ‎2020-07-05

Hi Steve,

Thanks for your response, check also answer Jackie,

BR

Cees

DCIM_Support · ‎2020-07-05

Hi Cees de Vogel,

Security scan results are listed here: https://sxwhelpcenter.ecostruxureit.com/display/UADCE725/Security+fixes+in+StruxureWare+Data+Center+...

CVE-2015-5600 and CVE-2016-1908 are included, the others are not. Engineering will have to search prior scan results to give you a definite answer.

Best,

Jackie

DCIM_Support · ‎2020-07-05

Hi Jackie,

Thanks a lot

BR Cees

DCIM_Support · ‎2020-07-05

This question is closed for comments. You're welcome to start a new topic if you have further comments on this issue.