CVE-2016-3115 OpenSSH Xauth Command Injection Vulnerability

  • 7022313
  • 13-Nov-2017
  • 13-Nov-2017

Environment

Service Desk 7
Service Desk 7.4 Appliance

Situation

This TID pertains to MFSD v7.4 Appliance only.
MFSD v7.4 Appliance uses SLES 12 SP1 and  OpenSSH v6.6p1-54.
Qualsys scan fails CVE-2016-3115 vulnerability "CVE-2016-3115 OpenSSH Xauth Command Injection Vulnerability" when scanning MFSD v7.4 Appliance, due to OpenSSH  version 6.6p1-54

OpenSSH Xauth Command Injection Vulnerability - SSH-2.0-OpenSSH_6.6.1 detected on port 22 over TCP.



Resolution

This Qualsys scan will report a false positive.
Per SuSE Security website this is not a vulnerability.
OpenSSH v6.6p1-54 is free from vulnerability on MFSD v7.4 Appliance.

Additional Information

Bug 1059233
MFSD v7.4 Appliance has SLES 12 SP1 OpenSSH v6.6p1-54
MFSD v7.3 Appliance has SLES12 OpenSSH v7.2p2-140

MFSD v7.4 release, OpenSSH v6.6p1-54 available in SuSE repository was used because this fixes for the know vulnerability even though it was of lower version compared to that bundled with MFSD v7.3.

Both OpenSSH version are free from vulnerability reported by Qualsys tool (CVE-2016-3115) and the same is documented in SuSE Security site.  SuSE Linux Enterprise Server for Service Desk.