# Advisory on CVE-2024-6387

## Remote Code Execution (RCE) in OpenSSH

On July 01, 2024, OpenSSH disclosed a vulnerability in Portable OpenSSH versions between `8.5` and `9.7` that may allow arbitrary code execution with root privileges in default configurations. The vulnerability is named **regreSSHion**.

The CVE ID [<mark style="color:blue;">CVE-2024-6387</mark>](https://nvd.nist.gov/vuln/detail/CVE-2024-6387?ref=franklinetech.com) is assigned to this vulnerability and classified as **Critical** severity with a CVSS score of **8.1**. For more information about the technical details of the vulnerability, refer to the official [<mark style="color:blue;">advisory</mark>](https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion.txt).

## Impacted IONOS Cloud products

| Product Ranges   | Product                                                                                                                          | Impacted | Mitigated | Patch Status |
| ---------------- | -------------------------------------------------------------------------------------------------------------------------------- | -------- | --------- | ------------ |
| Compute Services | [<mark style="color:blue;">Compute Engine</mark>](https://docs.ionos.com/sections-test/guides/compute-services/compute-engine)   | Yes      | Yes       | Done         |
| Containers       | [<mark style="color:blue;">Managed Kubernetes</mark>](https://docs.ionos.com/sections-test/guides/containers/managed-kubernetes) | Yes      | Yes       | Done         |

## Risk on IONOS Cloud user environment

We do not see any sign of active exploitation of this vulnerability in our infrastructure or user environment. Cloud-provided compute engines already use the patched version of OpenSSH, so there is no risk to the cloud user environment.

## What action has IONOS Cloud taken to mitigate the severity?

IONOS Cloud has already started the patching process for the affected products and services. The patching status is complete for Compute Engine, is ongoing for Managed Kubernetes, and will be updated once completed.

## What action can you take to mitigate the vulnerability?

Users using compute engines with affected distribution should patch as per the vendor security guidelines. No action is required from the users using the Managed Kubernetes environment.

## How can I get help?

If you have further questions or concerns about this vulnerability, contact [<mark style="color:blue;">IONOS Cloud Support</mark>](https://docs.ionos.com/cloud/support/general-information/contact-information).