Security Bulletin: IBM Integrated Management Module II (IMM2) is affected by vulnerability in OpenSSH (CVE-2018-15919)

Summary

The following vulnerability in OpenSSH has been addressed by IBM Integrated Management Module II (IMM2).

Vulnerability Details

CVEID:CVE-2018-15919
**DESCRIPTION:**Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states ‘We understand that the OpenSSH developers do not want to treat such a username enumeration (or “oracle”) as a vulnerability.’
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/148952 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

Remediation/Fixes

Firmware fix versions are available on Fix Central: <http://www.ibm.com/support/fixcentral/&gt;

IBM Integrated Management Module II (IMM2) for System x and Flex

(ibm_fw_imm2_1aoo90b-7.40_anyos_noarch)

| 1AOO90B-7.40

IBM Integrated Management Module II (IMM2) for BladeCenter

(ibm_fw_imm2_1aoo90b-7.40-bc_anyos_noarch)

| 1AOO90B-7.40-bc

Workarounds and Mitigations

None