IBM Support

AIX: Security Vulnerability Scanner Tools Fails To Detect OpenSSH Version

Troubleshooting


Problem

Installed  OpenSSH efix to address a vulnerability but the security scanner tool still flagged the vulnerability. 

Symptom

Cause

Most of these security scanners detect if the system is impacted based on the version of the package installed on the system.
These tools are unable to detect a patched version of OpenSSH which has the vulnerability efix installed.

Environment

AIX operating system with openssh.base.server 9.7.3013.1000 or higher.

Diagnosing The Problem

IBM has introduced a new AIX specific configuration option 'DisplayPatchVersion’ starting in OpenSSH 9.7.3013.1000. Setting this option to yes will display the community version from which vulnerability fixes have been patched.

Resolving The Problem

This applies to OpenSSH 9.7.3013.1000 or higher.
Add this line to the end of /etc/ssh/ssh_config and /etc/ssh/sshd_config
DisplayPatchVersion yes
-
Stop and restart sshd to pick up the change to sshd_config.
-
Example before adding DisplayPatchVersion yes to ssh_config:
# ssh -V
OpenSSH_9.7p1, OpenSSL 3.0.13 30 Jan 2024
-
# vi /etc/ssh/ssh_config
Add the following to ssh_config:
DisplayPatchVersion yes
-
Example  after adding DisplayPatchVersion yes to ssh_config:
# ssh -V
OpenSSH_9.8p1, OpenSSL 3.0.13 30 Jan 2024
ssh -V now shows the OpenSSH community version for which the vulnerability fixes.
 

SUPPORT

If you require more assistance, use the following step-by-step instructions to contact IBM to open a case for software with an active and valid support contract.  

1. Document (or collect screen captures of) all symptoms, errors, and messages related to your issue.

2. Capture any logs or data relevant to the situation.

3. Contact IBM to open a case:

   -For electronic support, see the IBM Support Community:
     https://www.ibm.com/mysupport
   -If you require telephone support, see the web page:
      https://www.ibm.com/planetwide/

4. Provide a clear, concise description of the issue.

 - For guidance, see: Working with IBM AIX Support: Describing the problem.

5. If the system is accessible, collect a system snap, and upload all of the details and data for your case.

 - For guidance, see: Working with IBM AIX Support: Collecting snap data

6. Upload all of the details and data to your case

   - Attach files to your case in the IBM Support Community

     https://www.ibm.com/mysupport/s/?language=en_US

    -Or Upload data to IBM testcase server analysis:
f. Provide feedback for clicking on "Contact and feedback" button on the right side of the document.

[{"Line of Business":{"code":"LOB08","label":"Cognitive Systems"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG10","label":"AIX"},"ARM Category":[{"code":"a8m0z000000cvwrAAA","label":"Communication Applications"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]

Document Information

Modified date:
03 December 2024

UID

ibm17177238