What you need to know about regreSSHion: an OpenSSH server remote code execution vulnerability (CVE-2024-6387)


On 1 July 2024 we released a fix for the high-impact CVE-2024-6387 vulnerability, nicknamed regreSSHion, as part of the coordinated release date (CRD). Discovered and responsibly disclosed by Qualys, the unauthenticated, network-exploitable remote code execution flaw affects the OpenSSH server daemon (sshd) starting with version 8.5p1 and before 9.8p1. As for the versions distributed and supported by Ubuntu, this only affected the 22.04 LTS, 23.10 and 24.04 LTS releases – patched packages were made available to all users on the CRD. Older security-maintained releases, including those under ESM or Legacy Support (14.04 LTS, 16.04 LTS, 18.04LTS and 20.04 LTS) were unaffected, as they contain prior versions of the software that did not contain the affected code. If you’re running an OpenSSH server on a version that was affected, our recommendation is that you update as soon as possible. Read on to learn more about this CVE and how you can apply the fix.


This vulnerability…

Source link