OpenSSH Versions Prior to 9.3p2 are Susceptible to a Vulnerability Which When Successfully Exploited Could Lead to Disclosure of Sensitive Information, Addition or Modification of Data, or Denial of Service (DoS)
Priority: ● Critical
Status: In Progress- Undergoing Analysis
First Published: 08 December 2023
Advisory Version: 1.0
References: CVE-2023-38408
Summary
The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.)
Affected Products
Vulnerable Products
The following matrix lists Hitachi Vantara products and solutions which have been confirmed to be affected by either of these vulnerabilities. If a Fixed Release Version is accompanied by a future date, the date is the best estimate we can provide based on current information and mitigation testing progress. If no Fixed Release Version is indicated for an affected product, Hitachi Vantara is continuing to evaluate the fix, and will update this advisory as additional information becomes available.
| Product | Fixed Release Version |
| Content Products |
| Content Platform Anywhere Enterprise | This is fixed in portal image 8.0.1315.7.1 or later |
Products Confirmed Not Vulnerable
At the time of this advisory's publication, only products listed in the Vulnerable Products section above are confirmed to be affected by this vulnerability.
| Product | Notes |
| Content Products |
| Content Platform S Series | Not vulnerable |
| Content Intelligence | Not vulnerable |
| Content Software for File | Not vulnerable |
| Content Platform Anywhere | Not vulnerable |
| Hitachi Data Ingestor | Not vulnerable |
| Content Platform Gateway | Not vulnerable |
| HCP for Cloud Scale |
Not vulnerable. The HCPCS 2.x.x container OS does NOT include openSSL. Regarding RedHat OS, it does bundle a vulnerable version, but its NOT used directly by HCPCS software. Two paths being worked 1) short term workaround, develop instructions to manually uninstall openssh from our appliances. |
| Content Platform | Not vulnerable. HCP ships a vulnerable version of the SSH-AGENT third-party package, but the way SSH-AGENT is utilized on an HCP system negates the risk of exploitation. An HCP system never opens SSH connection to any other system, or any IP address that is not that HCP system’s back-end IP address, outside of the realm of that HCP system. Thus, the condition described in the CVE, does not occur in an HCP system. In order to ensure that HCP customers' security scans no longer flag this CVE, a future release of HCP will ship a version of SSH-AGENT that includes resolution for this CVE. |
Recommended Actions
If any of the information presented above remains unclear, please contact the Hitachi Vantara Global Support Center, or your Vantara-authorized service and support provider.
The information contained herein is for informational purposes only. It is not intended as a guaranty or warranty about Hitachi Vantara’s products, including any guaranty or warranty that any product cannot be exploited by third parties. All product warranties and obligations to a customer must be specified in a mutually acceptable and executed contract between the parties.