Security Bulletin: OpenSSH for IBM i is affected by CVE-2021-41617

Summary

OpenSSH on IBM i is vulnerable to the issue described in the vulnerability details section. The applicability of the vulnerability is determined by an application’s specific use of OpenSSH. IBM i has addressed the CVE in the OpenSSH implementation.

Vulnerability Details

CVEID:CVE-2021-41617
**DESCRIPTION:**OpenSSH could allow a local attacker to gain elevated privileges on the system, caused by an error in sshd when certain non-default configurations are used. By executing an AuthorizedKeysCommand or AuthorizedPrincipalsCommand, where a AuthorizedKeysCommandUser or AuthorizedPrincipalsCommandUser directive has been set to run the command as a non-root user, an attacker could exploit this vulnerability to gain privileges associated with group memberships of the sshd process.
CVSS Base score: 7.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/210062 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Remediation/Fixes

The issues can be fixed by applying a PTF to IBM i. Releases 7.4, 7.3, 7.2, and 7.1 of IBM i are supported and will be fixed.

The IBM i PTF numbers are:
Release 7.1 – SI77663 Release 7.2, 7.3, & 7.4 – SI77631
https://www.ibm.com/support/fixcentral

_Important note: _IBM recommends that all users running unsupported versions of affected products upgrade to supported and fixed version of affected products.

Workarounds and Mitigations

None