OpenSSL Vulnerabilities in Virtual Appliance on AWS
search cancel

OpenSSL Vulnerabilities in Virtual Appliance on AWS


Article ID: 269002


Updated On:


CA Identity Suite


The OpenSSL has a vulnerability on vApp running on AWS

Obtained with ssh -v

OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017


[CVE-2010-4755] The (1) remote_glob function in sftp-glob.c and the (2) process_put function in sftp.c in OpenSSH 5.8 and earlier, as used in FreeBSD 7.3 and 8.1, NetBSD 5.0.2, OpenBSD 4.7, and other products, allow remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in SSH_FXP_STAT requests to an sftp daemon, a different vulnerability than CVE-2010-2632.

[CVE-1999-0661] A system is running a version of software that was replaced with a Trojan Horse at one of its distribution points, such as (1) TCP Wrappers 7.6, (2) util-linux 2.9g, (3) wuarchive ftpd (wuftpd) 2.2 and 2.1f, (4) IRC client (ircII) ircII 2.2.9, (5) OpenSSH 3.4p1, or (6) Sendmail 8.12.6.



This vulnerability is not present in Virtual Appliance running on CentOS 8 (VMWare)


Virtual Appliance 14.4 CP2 on AWS


The AWS needs to provide a security patch for this vulnerability.

To apply the OS patch you need to use the "updateManager" command


For AWS, OS is owned by AWS itself and so we do not provide security updates, only security updates are provided using updateManager. 

Product updates are provided as patches and they can be applied using patch_vapp.