This article applies to the following BoKS Manager versions:
A vulnerability, CVE-2016-3115, has been found in the OpenSSH sshd binary. The vulnerability is described by the MITRE CVE dictionary as:
Multiple CRLF injection vulnerabilities in session.c in sshd in OpenSSH before 7.2p2 allow remote authenticated users to bypass intended shell-command restrictions via crafted X11 forwarding data, related to the (1) do_authenticated1 and (2) session_x11_req functions
For more information about the vulnerability, please visit https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3115
The BoKS SSH solution is based on OpenSSH, making the boks_sshd binary in BoKS 6.5, 6.6, 6.7 and 7.0 affected by this vulnerability.
Resolution / Workaround
To resolve this issue, apply Hotfix TFS160407-012310 (for BoKS Manager 6.5), HFBM-0113 (for BoKS Manager 6.6 and 6.7) or HFBM-0114 (for BoKS Manager 7.0), available for download from the HelpSystems Community Portal.
These hotfixes include an updated boks_sshd binary, where an OpenSSH patch for this vulnerability has been added.
Still have questions? We can help. Submit a case to Technical Support.