This article applies to the following BoKS Manager versions:

  • 6.5.3
  • 6.5.4
  • 6.6.1
  • 6.6.2
  • 6.7.0
  • 6.7.1
  • 7.0.0


Description

A vulnerability, CVE-2016-3115, has been found in the OpenSSH sshd binary. The vulnerability is described by the MITRE CVE dictionary as:

Multiple CRLF injection vulnerabilities in session.c in sshd in OpenSSH before 7.2p2 allow remote authenticated users to bypass intended shell-command restrictions via crafted X11 forwarding data, related to the (1) do_authenticated1 and (2) session_x11_req functions


For more information about the vulnerability, please visit https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3115

The BoKS SSH solution is based on OpenSSH, making the boks_sshd binary in BoKS 6.5, 6.6, 6.7 and 7.0 affected by this vulnerability.

Resolution / Workaround

To resolve this issue, apply Hotfix TFS160407-012310 (for BoKS Manager 6.5), HFBM-0113 (for BoKS Manager 6.6 and 6.7) or HFBM-0114 (for BoKS Manager 7.0), available for download from the HelpSystems Community Portal.

These hotfixes include an updated boks_sshd binary, where an OpenSSH patch for this vulnerability has been added.


Still have questions? We can help. Submit a case to Technical Support.

Last Modified On: May 25, 2018