Skip to main content
Background Image
  1. Database Guru/

CVE-2024-6387 SSH Vulnerability Fix

·194 words·1 min· ·
Ruohang Feng
Author
Ruohang Feng
Pigsty Founder, @Vonng
Table of Contents

Vulnerability description, CVE-2024-6387: https://nvd.nist.gov/vuln/detail/CVE-2024-6387

This basically affects newer versions of operating systems. Older systems like CentOS 7.9, RockyLinux 8.9, Ubuntu 20.04, Debian 11 escaped this due to older OpenSSH versions.

Among the operating system distributions supported by Pigsty, RockyLinux 9.3, Ubuntu 22.04, and Debian 12 are affected:

ssh -V

OpenSSH_8.7p1, OpenSSL 3.0.7 1 Nov 2022                       # rockylinux 9.3
OpenSSH_8.9p1 Ubuntu-3ubuntu0.6, OpenSSL 3.0.2 15 Mar 2022    # ubuntu 22.04
OpenSSH_9.2p1 Debian-2+deb12u2, OpenSSL 3.0.11 19 Sep 2023    # debian 12

Diagnosis Method
#

featured.png

Vulnerability announcements:

RockyLinux 9+: https://rockylinux.org/news/2024-07-01-openssh-sigalrm-regression

Debian 12+: https://security-tracker.debian.org/tracker/CVE-2024-6387

Ubuntu 22.04+: https://ubuntu.com/security/CVE-2024-6387


Solution
#

Use the system’s default package manager to upgrade openssh-server.

Post-upgrade version reference:

# rockylinux 9.3  : 8.7p1-34.el9      -------> 8.7p1-38.el9_4.1    
# ubuntu 22.04    :                   -------> 8.9p1-3ubuntu0.6    
# debian 12       :                   -------> 1:9.2p1-2+deb12u2   
systemctl restart sshd

rocky9.3
#

$ rpm -q openssh-server
openssh-server-8.7p1-34.el9.x86_64      # vulnerable

$ yum install openssh-server
openssh-server-8.7p1-38.el9_4.1.x86_64  # fixed

debian12
#

$ dpkg -s openssh-server

$ apt install openssh-server
Version: 1:9.2p1-2+deb12u2              # fixed

ubuntu22.04
#

$ dpkg -s openssh-server

$ apt install openssh-server
Version: 1:8.9p1-3ubuntu0.6

Future Improvements
#

In Pigsty’s next version v2.8, the latest version of openssh-server will be downloaded and installed by default, thus fixing this vulnerability.

Related

Self-Hosting Dify with PG, PGVector, and Pigsty
·1241 words·6 mins
Dify is an open-source LLM app development platform. This article explains how to self-host Dify using Pigsty.
Can Oracle Still Save MySQL?
·1434 words·7 mins
Percona founder Peter Zaitsev publicly expressed disappointment with MySQL and its IP owner Oracle in an official blog post, as well as dissatisfaction with performance degradation in newer versions. This is indeed a signal worth attention.
Oracle Finally Killed MySQL
·807 words·4 mins
Peter Zaitsev, founder of Percona (an important company in the MySQL ecosystem), wrote an article harshly criticizing Oracle’s actions and inactions that killed MySQL.
MySQL Performance Getting Worse, Where Is Sakila Going?
·1382 words·3 mins
MySQL performance degrades with higher versions? While PostgreSQL advances triumphantly, eating the database world, MySQL’s performance and features are being left further behind. Why has MySQL stagnated under Oracle? I think it’s mainly the fault of cloud vendors freeloading - PG should take warning.
PGCon.Dev 2024, The conf that shutdown PG for a week
·3415 words·17 mins
Experience & Feeling on the PGCon.Dev 2024
PostgreSQL 17 Beta1 Released!
·1358 words·7 mins
The PostgreSQL Global Development Group announces PostgreSQL 17’s first Beta version is now available. This time, PostgreSQL has truly burst the toothpaste tube!