openssh privileged escalation vuln

vpswing

Well-Known Member
Jun 4, 2014
48
6
58
cPanel Access Level
Root Administrator
I ran a PCI scan on a cPanel server that I'm managing. One of the failed results showed this:
Does cPanel have a patch or an update to version 8.8 ?

Thanks!
-----------------------------
OpenSSH Privilege Escalation Vulnerability

THREAT:
OpenSSH (OpenBSD Secure Shell) is a set of computer programs providing encrypted communication sessions over a computer network using the SSH protocol.

Affected Versions: OpenSSH 6.2 through 8.7

QID Detection Logic: This unauthenticated detection works by reviewing the version of the OpenSSH service.

IMPACT: Attack may lead to privilege escalation due to supplemental groups not initialized.

SOLUTION:
Customers are advised to upgrade to OpenSSH 8.8 (https://www.openssh.com/txt/release-8.8) or later to remediate these vulnerabilities.

Patch:
Following are links for downloading patches to fix the vulnerabilities:
CVE-2021-41617 (https://www.openssh.com/txt/release-8.8)
 

ffeingol

Well-Known Member
PartnerNOC
Nov 9, 2001
963
437
363
cPanel Access Level
DataCenter Provider
Assuming this is a RedHat/CentOS system, lots of the CVE's are backported in, but the version is not updated. Try this to check:

Code:
rpm -q --changelog openssh | egrep CVE-2021-41617
It should be patched, but there is not much that cPanel can do, as OpenSSH is a OS provided package, not a cPanel provided one.