One of our clients runs regularly security scans  on the gateway  and finds a vulnerability

The client is on the latest patchlevel  ( Layer7_API_PlatformUpdate_64bit_v10.X-CentOS-2022-01-26) 

The CVE  they have found = CVE - CVE-2020-15778 (mitre.org)

Are you aware of this vulnerability?  and how should we (or you) proceed on this issue?   

Release : 10.0

Component :

According the redhat site this vulnerability is not fixed and will not be fixed

https://access.redhat.com/security/cve/cve-2020-15778

The gateway runs centos but is build from the same redhat sources so there is no fix to include in the platform patch .

In order to exploit this flaw, the attacker needs to social engineer or manipulate a system administrator (who has root access on the remote server) to run scp with a malicious command line parameter.

Administrators can uninstall openssh-clients for additional protection against accidental usage of this binary.

Removing the openssh-clients package will make binaries like scp and ssh etc unavailable on that system. A

lso administrators can change the execute permissions on the scp binary.

However this mitigation will be in place until the openssh-clients package is updated.

https://bugzilla.redhat.com/show_bug.cgi?id=1860487