Novell is now a part of Micro Focus

My Favorites

Close

Please to see your favorites.

CVE-2016-3115 OpenSSH Xauth Command Injection Vulnerability

This document (7022313) is provided subject to the disclaimer at the end of this document.

Environment

Service Desk 7
Service Desk 7.4 Appliance

Situation

This TID pertains to MFSD v7.4 Appliance only.
MFSD v7.4 Appliance uses SLES 12 SP1 and  OpenSSH v6.6p1-54.
Qualsys scan fails CVE-2016-3115 vulnerability "CVE-2016-3115 OpenSSH Xauth Command Injection Vulnerability" when scanning MFSD v7.4 Appliance, due to OpenSSH  version 6.6p1-54

OpenSSH Xauth Command Injection Vulnerability - SSH-2.0-OpenSSH_6.6.1 detected on port 22 over TCP.



Resolution

This Qualsys scan will report a false positive.
Per SuSE Security website this is not a vulnerability.
OpenSSH v6.6p1-54 is free from vulnerability on MFSD v7.4 Appliance.

Additional Information

Bug 1059233
MFSD v7.4 Appliance has SLES 12 SP1 OpenSSH v6.6p1-54
MFSD v7.3 Appliance has SLES12 OpenSSH v7.2p2-140

MFSD v7.4 release, OpenSSH v6.6p1-54 available in SuSE repository was used because this fixes for the know vulnerability even though it was of lower version compared to that bundled with MFSD v7.3.

Both OpenSSH version are free from vulnerability reported by Qualsys tool (CVE-2016-3115) and the same is documented in SuSE Security site.  SuSE Linux Enterprise Server for Service Desk.

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7022313
  • Creation Date:13-NOV-17
  • Modified Date:13-NOV-17
    • NovellService Desk

Did this document solve your problem? Provide Feedback