1

I'm working on shoring up some vulnerabilities in our environment, and one of them is that we're on OpenSSH 8.9. Our security team has advised us to upgrade to 9.3, but I'm not seeing anything indicating this package is available for Ubuntu 22.04. Is there any way to upgrade to that version?

12
  • Please obtain information about which CVE's they think need fixing, that aren't included here. If they can't, I would suggest looking for a new security team that knows what they're talking about. Ubuntu patches LTS releases, so OpenSSH 8.9 in 22.04 should be at least as secure as any newer version. Commented Jun 9, 2023 at 15:24
  • 2
    Your security team are likely relying specifically on scanner results, which are typically incorrect. Ubuntu patches CVEs with patches cherrypicked and applied to the version in the Ubuntu repos and to my knowledge there are no CVEs that are not already patched in the packaging. Check the CVE tracker for more details, and have your 'security team' learn not to rely solely on their tools, and to actually check if the CVEs, etc. they're seeing reported are in fact patched. (This is why we use Rapid7 InsightVM to check all our systems' security with credentialed agent access)
    – Thomas Ward
    Commented Jun 9, 2023 at 16:10
  • 1
    (Disclaimer: I'm an IT Security Professional myself AND the IT Sec person at my employer and we regularly see these 'false positives' in scans which don't have credentialed access to the systems to see what versions are actually installed and compare that against the known security patches that have been released)
    – Thomas Ward
    Commented Jun 9, 2023 at 16:11
  • 2
    Does this answer your question? How can I tell if a CVE has been fixed in Ubuntu's repositories?
    – muru
    Commented Jun 9, 2023 at 16:41
  • 2
    @ArturMeinild also AIUI the intial CVE score is from the submitter and can be inflated by self-important security types for reputation. Take this CVE which had a score of 9.8 (!) for Vim of all things. At the time security folks at my company were going nuts about it, and then I read the bounty report, then ran the score calculator with what I felt were the right parameters and got 7.3 (close to the value it has now).
    – muru
    Commented Jun 13, 2023 at 15:05

1 Answer 1

4

Your security team are likely relying specifically on scanner results, which are typically incorrect.

Ubuntu patches CVEs with patches cherrypicked and applied to the version in the Ubuntu repos and to my knowledge there are no CVEs that are not already patched in the packaging. Check the CVE tracker for more details, and have your 'security team' learn not to rely solely on their tools, and to actually check if the CVEs, etc. they're seeing reported are in fact patched. (This is why we use Rapid7 InsightVM to check all our systems' security with credentialed agent access at my employer).

Note that some CVEs are likely patched, while others don't apply, etc. so you and your sec team need to look up the specific CVEs on the tracker and see if the version of Ubuntu in use actually has a patch available. If it does, it'll list what version of the package has the patch. You can then check apt policy openssh-server and see what version of OpenSSH server is installed on the system. If it's older than the package version that's patched, you need to run updates on your systems.

(Disclaimer: I am an IT Security Professional by trade, and this 'misconception' of "you MUST upgrade to the latest OpenSSH or you're not safe!" is a notion that security teams need to stop adhering to, and they need to learn how the infrastructure actually works and gets updated.)


If you are dead set on updating to newer OpenSSH to fix this, then you need to manually compile OpenSSH and install it on those affected systems. This will not be trivial and is not easily documented here.

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .