regreSSHion (CVE-2024-6387): our response

On July 1st, we were informed that an unauthenticated Remote Code Execution (RCE) vulnerability that could grant an attacker full root access was found in OpenSSH’s server (sshd) on glibc-based Linux systems. Our security team instantly made sanity checks, and listed impacted services.

As stated by Qualys, « versions from 4.4p1 up to, but not including, 8.5p1 are not vulnerable due to a transformative patch for CVE-2006-5051, which made a previously unsafe function secure. The vulnerability resurfaces in versions from 8.5p1 up to, but not including, 9.8p1 due to the accidental removal of a critical component in a function. ».

There was no known exploit for 64-bit systems, but we immediately strengthened firewall rules for port 22 and packaged OpenSSH 9.8p1. Then we deployed it on all our systems, images, managed services and started to redeploy applications gradually for our customers. This work is now completed on all our servers and thousands of virtual machines without any impact.

You can contact our support team if you have further questions about this topic.