IBM Information for VU#369347

OpenSSH vulnerabilities in challenge response handling

Status

Affected

Vendor Statement

IBM's AIX operating system does not ship with OpenSSH; however, OpenSSH is available for installation on AIX via the Linux Affinity Toolkit. The version included on the CD containing the Toolkit is vulnerable to the latest discovered vulnerability discussed here as is the version of OpenSSH available for downloading from the IBM Linux Affinity website. Anyone running this version is advised to follow the recommendations above to limit their vulnerability.

We working with the changes for version 3.4 and will have a new package availble for download as soon as possible. When available the new packages can be downloaded from:


This site contains Linux Affinity applications containing cryptographic algorithms, and new users of this site are asked to register first.

The IBM HMC product is also affected by the SSH vulnerability described above. The HMC is the hardware monitor and control console used with IBM's Regatta systems. This is a seperate hardware unit that uses a Linux-based operating system and Open Source software.

Customers are advised to obtain the latest security paches for the HMC. These paches will be available early next week from the following URL:

Customers are advised to limit the use of SSH until these patches have been applied.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References

None

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.