Security Bulletin: Vulnerability in OpenSSH affects IBM Integrated Analytics System

Summary

Redhat provided OpenSSH is used by IBM Integrated Analytics System. This bulletin provides mitigation for the reported CVE.

Vulnerability Details

CVEID:CVE-2020-15778
**DESCRIPTION:**OpenSSH could allow a remote attacker to execute arbitrary commands on the system, caused by improper input validation in the remote function in scp.c. By opening a specially crafted file containing backtick characters in the destination argument, an attacker could exploit this vulnerability to execute arbitrary commands on the system.
CVSS Base score: 7.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/185805 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Affected Products and Versions

Remediation/Fixes

None

Workarounds and Mitigations

Mitigation for reported CVE CVE-2020-15778is as follows:

This security flaw lies in the way scp command parses its command line arguments. The SSH protocol or any other applications shipped as a part of openssh-clients packages are not vulnerable.

We therefore recommends the use of rsync in the place of scp for better security. More details about supported alternatives available at: <https://access.redhat.com/articles/5284081&gt;