5

With the recent security announcement by libssh (CVE-2018-10933) I wonder how to find out if any of my running services use the vulnerable library? I will eventually yum upgrade the system but for now it would be nice to know if I'm in danger. I'm using Amazon Linux 2 AMI on EC2. Thanks!

I-P-X
  • 163
  • 10

2 Answers2

5

The vulnerability described here only applies to programs which run an ssh server using libssh code. The server used on virtually every VM is OpenSSH, which does not use libssh. It is irrelevant to programs which use libssh as an ssh client.

This vulnerability exists in libssh, not libssh2. These are completely different and unrelated packages.

If libssh is not installed, you are not vulnerable. Your system does not have libssh installed, so you are not vulnerable.

Even if libssh is installed, you must also be running an alternate SSH server which uses libssh. You are not doing this, so you are not vulnerable.

Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
4

You can get a list of all packages that need libssh2 with rpm -q --whatrequires.

On my Amazon Linux 2 instance nothing seems to require it:

[root@ip-xx-xx-xx-xx ~]# rpm -q --whatrequires libssh2
no package requires libssh2

To be extra sure you can try to list all processes that have the shared library open:

[root@ip-xx-xx-xx-xx ~]# rpm -ql libssh2
/usr/lib64/libssh2.so.1
/usr/lib64/libssh2.so.1.0.1     <== this is the one
...
[root@ip-xx-xx-xx-xx ~]# fuser /usr/lib64/libssh2.so.1.0.1
(... empty output ...)
[root@ip-xx-xx-xx-xx ~]#

Looks like on my Amazon Linux 2 EC2 nothing uses libssh2. Note that fuser must be run as root or with sudo, otherwise you won't see any system processes.

Hope that helps :)

MLu
  • 23,798
  • 5
  • 54
  • 81
  • 2
    This is the right procedure, but the package name is libssh, not libssh2. These are completely different and unrelated packages. – Michael Hampton Oct 17 '18 at 11:48