Last Updated: Friday August 6, 2024 2:00pm EDT
Status: Resolved – Solace Product Updates Released
Solace Reference #: SOL-121356
Solace is aware of the OpenSSH RegreSSHion Vulnerability. From NVD: “A security regression (CVE-2006-5051) was discovered in OpenSSH’s server (sshd). There is a race condition which can lead sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time period.”
The PubSub+ Appliance Event Broker, PubSub+ Software Event Broker, and PubSub+ Cloud are exposed to this vulnerability (see below for details). No other Solace products are affected.
Workaround: In Solace Cloud, we recommend disabling access to port 22 (SSH) until you have upgraded your Event Broker Services. See https://docs.solace.com/Cloud/enable-cli-for-cloud.htm.
Update July 26, 2024:
Solace has published updates to fully address CVE-2024-6387 and CVE-2024-6409. See details in the table below.
| Version | Exposure | Resolution |
|---|---|---|
| 9.13.1 and older | Not vulnerable | N/A |
| 10.0 | The following versions are vulnerable: 10.0.1.186 to 10.0.1.221 | This vulnerability is resolved in version 10.0.1.226 and greater. |
| 10.1 to 10.3 | Not vulnerable | N/A |
| 10.4 | The following versions are vulnerable: 10.4.1.161 to 10.4.1.212 Note: The PubSub+ FIPS certified Event Broker is not vulnerable | This vulnerability is resolved in version 10.4.1.219 and greater. |
| 10.5 | Not vulnerable | N/A |
| 10.6 and newer | All versions prior to the following are vulnerable:
| This vulnerability is resolved in the following versions:
|
Note
Solace has provided fixes in the following recently out of support products:
- Machine Images – An upgrade package will be published for all affected releases
- PubSub+ Cloud – An updated version of 10.4
We will regularly update this page with new information as it becomes available.