With the recent security announcement by libssh
(CVE-2018-10933) I wonder how to find out if any of my running services use the vulnerable library? I will eventually yum upgrade
the system but for now it would be nice to know if I'm in danger. I'm using Amazon Linux 2 AMI on EC2. Thanks!
- 163
- 10
-
1Do you even have it installed? – Michael Hampton Oct 17 '18 at 03:29
-
Yes I do: `[ec2-user@ip-172-31-39-17 ~]$ rpm -qa | grep libssh` -> `libssh2-1.4.3-10.amzn2.1.2.x86_64` – I-P-X Oct 17 '18 at 07:23
-
1libssh and libssh2 are completely different and unrelated packages. – Michael Hampton Oct 17 '18 at 11:47
2 Answers
The vulnerability described here only applies to programs which run an ssh server using libssh code. The server used on virtually every VM is OpenSSH, which does not use libssh. It is irrelevant to programs which use libssh as an ssh client.
This vulnerability exists in libssh, not libssh2. These are completely different and unrelated packages.
If libssh is not installed, you are not vulnerable. Your system does not have libssh installed, so you are not vulnerable.
Even if libssh is installed, you must also be running an alternate SSH server which uses libssh. You are not doing this, so you are not vulnerable.
- 237,123
- 42
- 477
- 940
You can get a list of all packages that need libssh2
with rpm -q --whatrequires
.
On my Amazon Linux 2 instance nothing seems to require it:
[root@ip-xx-xx-xx-xx ~]# rpm -q --whatrequires libssh2
no package requires libssh2
To be extra sure you can try to list all processes that have the shared library open:
[root@ip-xx-xx-xx-xx ~]# rpm -ql libssh2
/usr/lib64/libssh2.so.1
/usr/lib64/libssh2.so.1.0.1 <== this is the one
...
[root@ip-xx-xx-xx-xx ~]# fuser /usr/lib64/libssh2.so.1.0.1
(... empty output ...)
[root@ip-xx-xx-xx-xx ~]#
Looks like on my Amazon Linux 2 EC2 nothing uses libssh2
. Note that fuser
must be run as root
or with sudo
, otherwise you won't see any system processes.
Hope that helps :)
- 23,798
- 5
- 54
- 81
-
2This is the right procedure, but the package name is libssh, not libssh2. These are completely different and unrelated packages. – Michael Hampton Oct 17 '18 at 11:48