Advisory on CVE-2024-6387

Remote Code Execution (RCE) in OpenSSH

On July 01, 2024, OpenSSH disclosed a vulnerability in Portable OpenSSH versions between 8.5 and 9.7 that may allow arbitrary code execution with root privileges in default configurations. The vulnerability is named regreSSHion.

The CVE ID CVE-2024-6387 is assigned to this vulnerability and classified as Critical severity with a CVSS score of 8.1. For more information about the technical details of the vulnerability, refer to the official advisory.

Impacted IONOS Cloud products

Risk on IONOS Cloud user environment

We do not see any sign of active exploitation of this vulnerability in our infrastructure or user environment. Cloud-provided compute engines already use the patched version of OpenSSH, so there is no risk to the cloud user environment.

What action has IONOS Cloud taken to mitigate the severity?

IONOS Cloud has already started the patching process for the affected products and services. The patching status is complete for Compute Engine, is ongoing for Managed Kubernetes, and will be updated once completed.

What action can you take to mitigate the vulnerability?

Users using compute engines with affected distribution should patch as per the vendor security guidelines. No action is required from the users using the Managed Kubernetes environment.

How can I get help?

If you have further questions or concerns about this vulnerability, contact IONOS Cloud Support.