Environment
Service Desk 7
Service Desk 7.4 Appliance
Service Desk 7.4 Appliance
Situation
This TID pertains to MFSD v7.4 Appliance only.
MFSD v7.4 Appliance uses SLES 12 SP1 and OpenSSH v6.6p1-54.
Qualsys scan fails CVE-2016-3115 vulnerability "CVE-2016-3115 OpenSSH Xauth Command Injection Vulnerability" when scanning MFSD v7.4 Appliance, due to OpenSSH version 6.6p1-54
OpenSSH Xauth Command Injection Vulnerability - SSH-2.0-OpenSSH_6.6.1 detected on port 22 over TCP.
MFSD v7.4 Appliance uses SLES 12 SP1 and OpenSSH v6.6p1-54.
Qualsys scan fails CVE-2016-3115 vulnerability "CVE-2016-3115 OpenSSH Xauth Command Injection Vulnerability" when scanning MFSD v7.4 Appliance, due to OpenSSH version 6.6p1-54
OpenSSH Xauth Command Injection Vulnerability - SSH-2.0-OpenSSH_6.6.1 detected on port 22 over TCP.
Resolution
This Qualsys scan will report a false positive.
Per SuSE Security website this is not a vulnerability.
OpenSSH v6.6p1-54 is free from vulnerability on MFSD v7.4 Appliance.
Per SuSE Security website this is not a vulnerability.
OpenSSH v6.6p1-54 is free from vulnerability on MFSD v7.4 Appliance.
Additional Information
Bug
1059233
MFSD v7.4 Appliance has SLES 12 SP1 OpenSSH v6.6p1-54
MFSD v7.3 Appliance has SLES12 OpenSSH v7.2p2-140
MFSD v7.4 release, OpenSSH v6.6p1-54 available in SuSE repository was used because this fixes for the know vulnerability even though it was of lower version compared to that bundled with MFSD v7.3.
Both OpenSSH version are free from vulnerability reported by Qualsys tool (CVE-2016-3115) and the same is documented in SuSE Security site. SuSE Linux Enterprise Server for Service Desk.
MFSD v7.4 Appliance has SLES 12 SP1 OpenSSH v6.6p1-54
MFSD v7.3 Appliance has SLES12 OpenSSH v7.2p2-140
MFSD v7.4 release, OpenSSH v6.6p1-54 available in SuSE repository was used because this fixes for the know vulnerability even though it was of lower version compared to that bundled with MFSD v7.3.
Both OpenSSH version are free from vulnerability reported by Qualsys tool (CVE-2016-3115) and the same is documented in SuSE Security site. SuSE Linux Enterprise Server for Service Desk.