{"id":8984,"date":"2024-08-30T15:47:39","date_gmt":"2024-08-30T10:17:39","guid":{"rendered":"https:\/\/www.satup.xyz\/index.php\/2024\/08\/30\/regresshion-vulnerability-recommended-actions-and-steps-weve-taken\/"},"modified":"2024-08-30T15:47:39","modified_gmt":"2024-08-30T10:17:39","slug":"regresshion-vulnerability-recommended-actions-and-steps-weve-taken","status":"publish","type":"post","link":"https:\/\/www.satup.xyz\/index.php\/2024\/08\/30\/regresshion-vulnerability-recommended-actions-and-steps-weve-taken\/","title":{"rendered":"Regresshion vulnerability: Recommended actions and steps we’ve taken"},"content":{"rendered":"


\n<\/p>\n

\n
\n

DigitalOcean is aware of a new security issue with OpenSSH (sshd) that was released yesterday under the title \u201cregresshion\u201d or CVE-2024-6387<\/a>. This vulnerability appears to allow an attacker to gain remote root access on vulnerable Linux systems running OpenSSH. However, there are some important caveats. Notably, the exploit requires winning a race condition which can take several hours.<\/p>\n

We are asking our customers to upgrade SSHD on their Droplets. If customers are running their own SSHD servers as part of a containerized workload (e.g., SSHD inside a Kubernetes pod) you should upgrade that service and relaunch the workload. Instructions can be found below for how to update SSHD on Dropets.<\/p>\n

The table below lists the Security Notices published for each DigitalOcean provided distribution:<\/p>\n

As part of our shared responsibility model<\/a>, we are taking several actions in response to this vulnerability, which are outlined below.<\/p>\n

\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
Product<\/strong><\/th>\nStatus<\/strong><\/th>\nInstructions<\/strong><\/th>\n<\/tr>\n<\/thead>\n
App Platform<\/td>\nNot Affected<\/td>\nNo action needed<\/td>\n<\/tr>\n
Container Registry<\/td>\nNot Affected<\/td>\nNo action needed<\/td>\n<\/tr>\n
Droplet<\/td>\nAffected<\/strong><\/td>\nCustomer needs to upgrade openssh-server<\/code> and openssh-client<\/code>. Instructions below. DigitalOcean has patched Droplet Base Images for new deployments<\/td>\n<\/tr>\n
Functions<\/td>\nNot Affected<\/td>\nNo action needed<\/td>\n<\/tr>\n
Kubernetes<\/td>\nAffected<\/strong><\/td>\nPort 22 is disabled on cluster nodes by default, but customers may have enabled it. Customers can apply a cluster upgrade<\/a> or wait for their regular maintenance window<\/a> which will apply the patch.<\/td>\n<\/tr>\n
Load Balancers<\/td>\nNot Affected<\/td>\nNo action needed<\/td>\n<\/tr>\n
Managed Databases<\/td>\nAffected<\/strong><\/td>\nDigitalOcean has patched<\/td>\n<\/tr>\n
Monitoring<\/td>\nNot Affected<\/td>\nNo action needed<\/td>\n<\/tr>\n
Networking<\/td>\nNot Affected<\/td>\nNo action needed<\/td>\n<\/tr>\n
Spaces<\/td>\nNot Affected<\/td>\nNo action needed<\/td>\n<\/tr>\n
Spaces CDN<\/td>\nNot Affected<\/td>\nNo action needed<\/td>\n<\/tr>\n
Volumes<\/td>\nNot Affected<\/td>\nNo action needed<\/td>\n<\/tr>\n
VPC<\/td>\nNot Affected<\/td>\nNo action needed<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n

Additionally, DigitalOcean is taking action to ensure the version of OpenSSH used across its internal environment is patched.<\/p>\n

Customer managed Droplets<\/a><\/h3>\n

Ubuntu and Debian<\/h4>\n

Interactive commands:<\/strong><\/p>\n

sudo<\/span> apt<\/span> update\nsudo<\/span> apt<\/span> install<\/span> --only-upgrade openssh-server openssh-client\n<\/code><\/pre>\n
Non-interactive commands:<\/strong><\/p>\n
sudo<\/span> apt<\/span> update\nsudo<\/span> env<\/span> DEBIAN_FRONTEND<\/span>=<\/span>noninteractive apt<\/span> install<\/span> --only-upgrade -y<\/span> openssh-server openssh-client\n<\/code><\/pre>\n
Note:<\/p>\n
    \n
  1. \n
    This command will only update OpenSSH server, client, and sftp.<\/p>\n<\/li>\n
  2. \n
    The interactive commands will require user input on how to handle the sshd_config (keep old, compare old to new, install new, etc.).<\/p>\n<\/li>\n
  3. \n
    The non-interactive commands will install the update and keep the existing sshd_config.<\/p>\n<\/li>\n
  4. \n
    The --only-upgrade<\/code> flag will only install the package if the package has been previously installed. This is a safety check.<\/p>\n<\/li>\n<\/ol>\n
    It is always a good idea to update your entire system but please be aware that this may introduce potential breaking issues.<\/p>\n
    CentOS, Fedora, Rocky Linux, AlmaLinux<\/h4>\n
    sudo<\/span> yum update openssh-server\nsudo<\/span> yum update openssh-clients\n<\/code><\/pre>\n<\/div>\n<\/div>\n

    \n
    Source link <\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
    DigitalOcean is aware of a new security issue with OpenSSH (sshd) that was released yesterday under the title \u201cregresshion\u201d or CVE-2024-6387. This vulnerability appears to allow an attacker to gain remote root access on vulnerable Linux systems running OpenSSH. However, there are some important caveats. Notably, the exploit requires winning a race condition which can […]<\/p>\n","protected":false},"author":1,"featured_media":8532,"comment_status":"","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[16],"tags":[],"class_list":["post-8984","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-app-developer"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.satup.xyz\/index.php\/wp-json\/wp\/v2\/posts\/8984","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.satup.xyz\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.satup.xyz\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.satup.xyz\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.satup.xyz\/index.php\/wp-json\/wp\/v2\/comments?post=8984"}],"version-history":[{"count":0,"href":"https:\/\/www.satup.xyz\/index.php\/wp-json\/wp\/v2\/posts\/8984\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.satup.xyz\/index.php\/wp-json\/wp\/v2\/media\/8532"}],"wp:attachment":[{"href":"https:\/\/www.satup.xyz\/index.php\/wp-json\/wp\/v2\/media?parent=8984"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.satup.xyz\/index.php\/wp-json\/wp\/v2\/categories?post=8984"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.satup.xyz\/index.php\/wp-json\/wp\/v2\/tags?post=8984"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}