Описание
Уязвимость библиотеки libssh2 связана с целочисленным переполнением. Эксплуатация уязвимости может позволить нарушителю, действующему удалённо, выполнить произвольный код путем подключения к SSH-серверу
Вендор
Red Hat Inc.
Сообщество свободного программного обеспечения
Novell Inc.
Fedora Project
ООО «РусБИТех-Астра»
Наименование ПО
Red Hat Enterprise Linux
Debian GNU/Linux
OpenSUSE Leap
Fedora
Astra Linux Special Edition
libssh2
Astra Linux Special Edition для «Эльбрус»
Версия ПО
Server 6 (Red Hat Enterprise Linux)
Desktop 6 (Red Hat Enterprise Linux)
Workstation 6 (Red Hat Enterprise Linux)
Desktop 7 (Red Hat Enterprise Linux)
Workstation 7 (Red Hat Enterprise Linux)
Server 7 (Red Hat Enterprise Linux)
9 (Debian GNU/Linux)
42.3 (OpenSUSE Leap)
28 (Fedora)
1.6 «Смоленск» (Astra Linux Special Edition)
29 (Fedora)
Server AUS 7.6 (Red Hat Enterprise Linux)
Server TUS 7.6 (Red Hat Enterprise Linux)
15.0 (OpenSUSE Leap)
30 (Fedora)
for Scientific Computing 7 (Red Hat Enterprise Linux)
for Power, little endian - Extended Update Supp 7.5 (Red Hat Enterprise Linux)
for Power, big endian - Extended Update Support 7.5 (Red Hat Enterprise Linux)
for IBM z Systems - Extended Update Support 7.5 (Red Hat Enterprise Linux)
for IBM z Systems 7 (Red Hat Enterprise Linux)
for ARM 64 7 (Red Hat Enterprise Linux)
8 (Debian GNU/Linux)
до 1.8.1 (libssh2)
for Power, big endian - Extended Update Support 7.6 (Red Hat Enterprise Linux)
for Power, little endian - Extended Update Support 7.6 (Red Hat Enterprise Linux)
for IBM z Systems - Extended Update Support 7.6 (Red Hat Enterprise Linux)
Server- Update Services for SAP Solutions 7.3 (Red Hat Enterprise Linux)
Server- Update Services for SAP Solutions 7.4 (Red Hat Enterprise Linux)
Server- Update Services for SAP Solutions 7.6 (Red Hat Enterprise Linux)
for Scientific Computing 6 (Red Hat Enterprise Linux)
Server - AUS 7.4 (Red Hat Enterprise Linux)
Server - TUS 7.4 (Red Hat Enterprise Linux)
Server - EUS 7.4 (Red Hat Enterprise Linux)
for Power, little endian - Extended Update Support 7.4 (Red Hat Enterprise Linux)
for Power, big endian - Extended Update Support 7.4 (Red Hat Enterprise Linux)
for IBM z Systems - Extended Update Support 7.4 (Red Hat Enterprise Linux)
Server - AUS 7.3 (Red Hat Enterprise Linux)
Server - TUS 7.3 (Red Hat Enterprise Linux)
8.1 «Ленинград» (Astra Linux Special Edition для «Эльбрус»)
Тип ПО
Операционная система
Прикладное ПО информационных систем
Операционные системы и аппаратные платформы
Red Hat Inc. Red Hat Enterprise Linux Server 6
Red Hat Inc. Red Hat Enterprise Linux Desktop 6
Red Hat Inc. Red Hat Enterprise Linux Workstation 6
Red Hat Inc. Red Hat Enterprise Linux Desktop 7
Red Hat Inc. Red Hat Enterprise Linux Workstation 7
Red Hat Inc. Red Hat Enterprise Linux Server 7
Novell Inc. OpenSUSE Leap 42.3
Fedora Project Fedora 28
ООО «РусБИТех-Астра» Astra Linux Special Edition 1.6 «Смоленск»
Fedora Project Fedora 29
Red Hat Inc. Red Hat Enterprise Linux Server AUS 7.6
Red Hat Inc. Red Hat Enterprise Linux Server TUS 7.6
Novell Inc. OpenSUSE Leap 15.0
Fedora Project Fedora 30
Red Hat Inc. Red Hat Enterprise Linux for Scientific Computing 7
Red Hat Inc. Red Hat Enterprise Linux for Power, little endian - Extended Update Supp 7.5
Red Hat Inc. Red Hat Enterprise Linux for Power, big endian - Extended Update Support 7.5
Red Hat Inc. Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 7.5
Red Hat Inc. Red Hat Enterprise Linux for IBM z Systems 7
Red Hat Inc. Red Hat Enterprise Linux for ARM 64 7
Сообщество свободного программного обеспечения Debian GNU/Linux 8
Red Hat Inc. Red Hat Enterprise Linux for Power, big endian - Extended Update Support 7.6
Red Hat Inc. Red Hat Enterprise Linux for Power, little endian - Extended Update Support 7.6
Red Hat Inc. Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 7.6
Red Hat Inc. Red Hat Enterprise Linux Server- Update Services for SAP Solutions 7.3
Red Hat Inc. Red Hat Enterprise Linux Server- Update Services for SAP Solutions 7.4
Red Hat Inc. Red Hat Enterprise Linux Server- Update Services for SAP Solutions 7.6
Red Hat Inc. Red Hat Enterprise Linux for Scientific Computing 6
Red Hat Inc. Red Hat Enterprise Linux Server - AUS 7.4
Red Hat Inc. Red Hat Enterprise Linux Server - TUS 7.4
Red Hat Inc. Red Hat Enterprise Linux Server - EUS 7.4
Red Hat Inc. Red Hat Enterprise Linux for Power, little endian - Extended Update Support 7.4
Red Hat Inc. Red Hat Enterprise Linux for Power, big endian - Extended Update Support 7.4
Red Hat Inc. Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 7.4
Red Hat Inc. Red Hat Enterprise Linux Server - AUS 7.3
Red Hat Inc. Red Hat Enterprise Linux Server - TUS 7.3
ООО «РусБИТех-Астра» Astra Linux Special Edition для «Эльбрус» 8.1 «Ленинград»
Уровень опасности уязвимости
Высокий уровень опасности (базовая оценка CVSS 2.0 составляет 9,3)
Высокий уровень опасности (базовая оценка CVSS 3.0 составляет 8,8)
Возможные меры по устранению уязвимости
Использование рекомендаций:
Для libssh2:
https://www.libssh2.org/CVE-2019-3855.html
Для программных продуктов Novell Inc.:
http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00040.html
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00003.html
Для программных продуктов Red Hat Inc.:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3855
Для Debian GNU/Linux:
https://lists.debian.org/debian-lts-announce/2019/03/msg00032.html
Для программных продуктов Fedora Project:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5DK6VO2CEUTAJFYIKWNZKEKYMYR3NO2O/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6LUNHPW64IGCASZ4JQ2J5KDXNZN53DWW/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M7IF3LNHOA75O4WZWIHJLIRMA5LJUED3/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XCWEA5ZCLKRDUK62QVVYMFWLWKOPX3LO/
Для Astra Linux использование рекомендаций, приведенных в бюллетенях № 20190912SE16 и № 20191225SE81:
https://wiki.astralinux.ru/pages/viewpage.action?pageId=57444186
https://wiki.astralinux.ru/pages/viewpage.action?pageId=67111271
Статус уязвимости
Подтверждена производителем
Наличие эксплойта
Данные уточняются
Информация об устранении
Уязвимость устранена
Ссылки на источники
Идентификаторы других систем описаний уязвимостей
- CVE
EPSS
Процентиль: 94%
0.12496
Средний
8.8 High
CVSS3
9.3 Critical
CVSS2
Связанные уязвимости
CVSS3: 8.8
ubuntu
около 6 лет назад
An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.
CVSS3: 7.5
redhat
больше 6 лет назад
An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.
CVSS3: 8.8
nvd
около 6 лет назад
An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.
CVSS3: 8.8
debian
около 6 лет назад
An integer overflow flaw which could lead to an out of bounds write wa ...
CVSS3: 8.8
github
около 3 лет назад
An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server.
EPSS
Процентиль: 94%
0.12496
Средний
8.8 High
CVSS3
9.3 Critical
CVSS2