Security Bulletin: IBM i is affected by a vulnerability in OpenSSH (CVE-2018-15473)

Summary

OpenSSH is used by IBM i. IBM i has addressed the applicable CVE.

Vulnerability Details

CVEID:CVE-2018-15473
DESCRIPTION: OpenSSH could allow a remote attacker to obtain sensitive information, caused by different responses to valid and invalid authentication attempts. By sending a specially crafted request, an attacker could exploit this vulnerability to enumerate valid usernames.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/148397&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

Releases 7.1, 7.2, and 7.3 of IBM i are affected.

Remediation/Fixes

The issue can be fixed by applying a PTF to IBM i.

Releases 7.1, 7.2, and 7.3 of IBM i are supported and will be fixed.

[https://www-945.ibm.com/support/fixcentral/](< https://www-945.ibm.com/support/fixcentral/&gt;)

The IBM i PTF numbers are:

Release 7.1 – SI68325

Release 7.2 & 7.3 – SI68326

_Important note: _IBM recommends that all users running unsupported versions of affected products upgrade to supported and fixed version of affected products.

Workarounds and Mitigations

None