Last Updated: Thursday July 11, 2024 3:00pm EDT
Status: Active – Product Updates Pending

CVE-2024-6387

Solace Reference #: SOL-121356
Solace is aware of the OpenSSH RegreSSHion Vulnerability. From NVD: “A security regression (CVE-2006-5051) was discovered in OpenSSH’s server (sshd). There is a race condition which can lead to sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time period.”

The PubSub+ Appliance Event Broker, PubSub+ Software Event Broker, and PubSub+ Cloud are exposed to this vulnerability (see below for details). No other Solace products are affected.

Update July 11, 2024:
On July 10, 2024, the scope of the regreSSHion vulnerability increased to include CVE-2024-6409. New guidance was also released by the community that the original fixes for CVE-2024-6387 are not sufficient to completely resolve this vulnerability. Solace will publish updates that fully address both CVE-2024-6387 and CVE-2024-6409. This vulnerability is still evolving in the wider community. As such, Solace plans to wait for a mature, industry-accepted resolution, and will publish updated PubSub+ Event Brokers on approximately July 25, 2024.

Solace published updates to address CVE-2024-6387 on Tuesday July 9, 2024, however, these updates do not address CVE-2024-6409 and Solace does not recommend adopting these versions. We recommend waiting for a forthcoming update that will address all of the regreSSHion vulnerabilities.

VersionExposureResolution
9.13.1 and older Not vulnerableN/A
10.0The following versions are vulnerable: 10.0.1.186 and newerAn updated version will be published to resolve this vulnerability

Availability: approximately July 25, 2024
10.1 - 10.3Not vulnerableN/A
10.4The following versions are vulnerable: 10.4.1.161 and newer

Note: The PubSub+ FIPS certified Event Broker is not vulnerable
An updated version will be published to resolve this vulnerability

Availability: approximately July 25, 2024
10.5Not vulnerableN/A
10.6 and newerAll versions are vulnerableAn updated version of all affected releases will be published to resolve this vulnerability

Availability: approximately July 25, 2024

 

Note

At the same time, Solace will also provide fixes in the following recently out of support products:

  • Machine Images – An upgrade package will be published for all affected releases
  • PubSub+ Cloud – An updated version of 10.4

We will regularly update this page with new information as it becomes available.

Still have questions or concerns?

If you have any additional questions or concerns about how a specific vulnerability affects you, please reach out to our Support team.

Reach out to our Support