CVE-2016-10009 and CVE-2016-6515

General support questions
ttkiranktly
Posts: 1
Joined: 2018/04/20 09:43:16

CVE-2016-10009 and CVE-2016-6515

Postby ttkiranktly » 2018/04/20 09:59:04

Hi,

Recent vulnerability scan in our environment identified below vulnerabilities in CentOS 6.9 servers,
CVE-2016-10009 - OpenSSH: Untrusted Search Path Vulnerability
CVE-2016-6515 - OpenSSH: Password Length Limitation Denial of Service Vulnerability

Current version of Open SSH is as below,

openssh-5.3p1-123.el6_9.x86_64

This seems to be the latest version available for CentOS6.9.

Could you please help on below,

1) Is this version of OpenSSH is really vulnerable to above mentioned CVE's ?
2) If Yes, how can this be mitigated ?

Thanks,
Kiran

User avatar
avij
Forum Moderator
Posts: 2451
Joined: 2010/12/01 19:25:52
Location: Helsinki, Finland
Contact:

Re: CVE-2016-10009 and CVE-2016-6515

Postby avij » 2018/04/20 10:26:04

Please refer to the Red Hat CVE database:
https://access.redhat.com/security/cve/cve-2016-10009
https://access.redhat.com/security/cve/cve-2016-6515

For both of those, RH has decided to not fix these issues for the time being, and consequently, CentOS openssh will not get fixed either.