During a vulnerability scan (Qualsys, Tenable, Nessus, etc) there are vulnerabilities reported against openSSH on ESX. Example vulnerabilities for openSSH are:

• CVE-2016-20012
• CVE-2021-36368
• CVE-2020-15778

After receiving the reports from the scanner, checking the openSSH version on ESX will help clarify if the host is possibly impacted when reading the public CVE documentation about the possible vulnerabilities.

This behavior is largely due to vulnerability scanners referencing configuration files or other static files to detected hard-coded versions, while frequently overlooking the patch levels of installed packages.

To validate the version of openSSH, the following command can be used:

ssh -V

The output is as follows:

OpenSSH_9.8p1, OpenSSL 3.0.15 3 Sep 2024

This shows not only the major version (9.8) but also shows any patches that have been applied (p1 in this case).

If you get a report for an openSSH vulnerability, take the following steps:

1. Validate that the version that is impacted by checking the public documentation for the CVE.
2. Run the above commands (See resolution section) against the openSSH version on the host.
3. If the version is at a fixed version according to the public documentation for the CVE, work with your security teams or the vulnerability scanner vendor so they can update against possible false positives.
4. If the version is at a vulnerable version, engage Broadcom support for further support.

Japanese KB: 脆弱性スキャンで脆弱性の可能性が報告されている場合に ESXi 上の openSSH バージョンを見つける方法