| | OpenSSH Versions Prior to 9.3p2 are Susceptible to a Vulnerability Which When Successfully Exploited Could Lead to Disclosure of Sensitive Information, Addition or Modification of Data, or Denial of Service (DoS) |
| Content | Priority: ● Critical Status: In Progress- Undergoing Analysis First Published: 08 December 2023 Advisory Version: 1.0 References: CVE-2023-38408 Summary The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. (Code in /usr/lib is not necessarily safe for loading into ssh-agent.) Affected Products Vulnerable Products The following matrix lists Hitachi Vantara products and solutions which have been confirmed to be affected by either of these vulnerabilities. If a Fixed Release Version is accompanied by a future date, the date is the best estimate we can provide based on current information and mitigation testing progress. If no Fixed Release Version is indicated for an affected product, Hitachi Vantara is continuing to evaluate the fix, and will update this advisory as additional information becomes available. | Product | Fixed Release Version | | Content Platform Anywhere Enterprise | This is fixed in portal image 8.0.1315.7.1 or later | Products Confirmed Not Vulnerable At the time of this advisory's publication, only products listed in the Vulnerable Products section above are confirmed to be affected by this vulnerability. | Content Platform S Series | Not vulnerable | | Content Intelligence | Not vulnerable | | Content Software for File | Not vulnerable | | Content Platform Anywhere | Not vulnerable | | Hitachi Data Ingestor | Not vulnerable | | Content Platform Gateway | Not vulnerable | | HCP for Cloud Scale | Not vulnerable. The HCPCS 2.x.x container OS does NOT include openSSL. Regarding RedHat OS, it does bundle a vulnerable version, but its NOT used directly by HCPCS software. Two paths being worked 1) short term workaround, develop instructions to manually uninstall openssh from our appliances.
2) long term workaround, work with RHEL to develop a security OS upgrade/patch, that can be delivered as a regular OS update tool. | | Content Platform | Not vulnerable. HCP ships a vulnerable version of the SSH-AGENT third-party package, but the way SSH-AGENT is utilized on an HCP system negates the risk of exploitation. An HCP system never opens SSH connection to any other system, or any IP address that is not that HCP system’s back-end IP address, outside of the realm of that HCP system. Thus, the condition described in the CVE, does not occur in an HCP system. In order to ensure that HCP customers' security scans no longer flag this CVE, a future release of HCP will ship a version of SSH-AGENT that includes resolution for this CVE. | Recommended Actions If any of the information presented above remains unclear, please contact the Hitachi Vantara Global Support Center, or your Vantara-authorized service and support provider. The information contained herein is for informational purposes only. It is not intended as a guaranty or warranty about Hitachi Vantara’s products, including any guaranty or warranty that any product cannot be exploited by third parties. All product warranties and obligations to a customer must be specified in a mutually acceptable and executed contract between the parties. |
| CXone Metadata | CVE; CVE-2023-38408; OpenSSH |
|