The vulnerability, caused by a signal handler race condition in OpenSSH’s server (sshd), allows unauthenticated remote code execution (RCE) as root on glibc-based Linux systems, presenting a significant security risk. This race condition affects sshd in its default configuration.
The Bitnami catalog is based on Debian, according to the Debian security tracker:
SSH server is installed and running in OVAs and Cloud Images for AWS, Google, and Azure Marketplaces. Bitnami Helm charts and container images are not affected. The Bitnami team is working on releasing new versions in all the Marketplaces.
See below some details about how the bundled SSH package can be upgraded to a patched version:
Fix/Mitigation
By default, OVAs and Cloud Images include the unattended-upgrades package that will try to install security updates automatically daily. However, it is possible to force the execution of the cronjob manually.
First of all, verify you are running an affected version of the openssh package as shown below
$ sudo dpkg -l | grep ssh
ii libssh2-1:amd64 1.10.0-3+b1 amd64 SSH2 client-side library
ii openssh-client 1:9.2p1-2+deb12u2 amd64 secure shell (SSH) client, for secure access to remote machines
ii openssh-server 1:9.2p1-2+deb12u2 amd64 secure shell (SSH) server, for secure access from remote machines
ii openssh-sftp-server 1:9.2p1-2+deb12u2 amd64 secure shell (SSH) sftp server module, for SFTP access from remote machines
ii ssh 1:9.2p1-2+deb12u2 all secure shell client and server (metapackage)
In case you are affected, force the unattended-upgrade execution by running the command below
$ sudo apt-get update && sudo unattended-upgrade -d
This will log new information into the /var/log/unattended-upgrades/unattended-upgrades.log and /var/log/unattended-upgrades/unattended-upgrades-dpkg.log files, where you can check if the OpenSSH service has been updated and the new version it has installed
$ grep -i ssh /var/log/unattended-upgrades/unattended-upgrades-dpkg.log
Preparing to unpack .../1-openssh-sftp-server_1%3a9.2p1-2+deb12u3_amd64.deb ...
Unpacking openssh-sftp-server (1:9.2p1-2+deb12u3) over (1:9.2p1-2+deb12u2) ...
Preparing to unpack .../2-openssh-server_1%3a9.2p1-2+deb12u3_amd64.deb ...
Unpacking openssh-server (1:9.2p1-2+deb12u3) over (1:9.2p1-2+deb12u2) ...
Preparing to unpack .../3-openssh-client_1%3a9.2p1-2+deb12u3_amd64.deb ...
Unpacking openssh-client (1:9.2p1-2+deb12u3) over (1:9.2p1-2+deb12u2) ...
Preparing to unpack .../5-ssh_1%3a9.2p1-2+deb12u3_all.deb ...
Unpacking ssh (1:9.2p1-2+deb12u3) over (1:9.2p1-2+deb12u2) ...
Setting up openssh-client (1:9.2p1-2+deb12u3) ...
Setting up openssh-sftp-server (1:9.2p1-2+deb12u3) ...
Setting up openssh-server (1:9.2p1-2+deb12u3) ...
After that, you can check the new version has been installed
$ sudo dpkg -l | grep ssh
ii libssh2-1:amd64 1.10.0-3+b1 amd64 SSH2 client-side library
ii openssh-client 1:9.2p1-2+deb12u3 amd64 secure shell (SSH) client...
ii openssh-server 1:9.2p1-2+deb12u3 amd64 secure shell (SSH) server...
ii openssh-sftp-server 1:9.2p1-2+deb12u3 amd64 secure shell (SSH) sftp...
ii ssh 1:9.2p1-2+deb12u3 all secure shell client and server (metapackage)
From the client side you can check the server is returning the updated package information by running the next command
$ ssh -v <user>@<ip-address> 2>&1 | grep -i openssh
OpenSSH_9.6p1, LibreSSL 3.3.6
debug1: Local version string SSH-2.0-OpenSSH_9.6
debug1: Remote protocol version 2.0, remote software version OpenSSH_9.2p1 Debian-2+deb12u3
debug1: compat_banner: match: OpenSSH_9.2p1 Debian-2+deb12u3 pat OpenSSH* compat 0x04000000
If you have any questions about this process, please create an issue in our GitHub repository. We will be happy to help!
Updates
- [July 13, 2024, 10:05 AM (UTC)]:
- 130 out of 132 (98%) OVAs released
- 131 out of 133 (98%) AWS Images released
- 79 out of 81 (98%) Azure Images released
- 83 out of 84 (99%) Google Images released
- [July 11, 2024, 05:37 AM (UTC)]:
- 130 out of 132 (98%) OVAs released
- 131 out of 133 (98%) AWS Images released
- 78 out of 81 (96%) Azure Images released
- 82 out of 84 (98%) Google Images released
- [July 9, 2024, 06:12 AM (UTC)]:
- 129 out of 132 (98%) OVAs released
- 130 out of 133 (98%) AWS Images released
- 77 out of 81 (95%) Azure Images released
- 82 out of 84 (98%) Google Images released
- [July 3, 2024, 11:30 AM (UTC)]:
- 129 out of 132 (98%) OVAs released
- 129 out of 133 (98%) AWS Images released
- 76 out of 81 (94%) Azure Images released
- 76 out of 84 (91%) Google Images released