The OpenSSL has a vulnerability on vApp running on AWS

Obtained with ssh -v

OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017

MITRE CVE - https://cve.mitre.org:

[CVE-2010-4755] The (1) remote_glob function in sftp-glob.c and the (2) process_put function in sftp.c in OpenSSH 5.8 and earlier, as used in FreeBSD 7.3 and 8.1, NetBSD 5.0.2, OpenBSD 4.7, and other products, allow remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in SSH_FXP_STAT requests to an sftp daemon, a different vulnerability than CVE-2010-2632.

[CVE-1999-0661] A system is running a version of software that was replaced with a Trojan Horse at one of its distribution points, such as (1) TCP Wrappers 7.6, (2) util-linux 2.9g, (3) wuarchive ftpd (wuftpd) 2.2 and 2.1f, (4) IRC client (ircII) ircII 2.2.9, (5) OpenSSH 3.4p1, or (6) Sendmail 8.12.6.

This vulnerability is not present in Virtual Appliance running on CentOS 8 (VMWare)

Virtual Appliance 14.4 CP2 on AWS

The AWS needs to provide a security patch for this vulnerability.

To apply the OS patch you need to use the "updateManager" command

For AWS, OS is owned by AWS itself and so we do not provide security updates, only security updates are provided using updateManager. 

Product updates are provided as patches and they can be applied using patch_vapp.