Linux 2 OpenSSH Failing Vulnerability Scan

Question

My Linux 2 server is failing because of OpenSSH version is before version 8.5 (documented in CVE-2021-28041).  
What I would like to know, is there anywhere that AWS documents that they have addressed this issue, CVE-2021-28041?
I recognize that AWS does update the binaries on their own, and when I checked RedHat, they describe the issue as a non-issue for them, because the issue was introduced in version 8.3.   I assume that is the same for AWS Linux 2, but I need to prove it to my provider or I fail my PCI Compliance vulnerability assessment.    It would be great if AWS simply identified it, and documented that they are updating OpenSSH directly, and did not include this vulnerability, or something to that effect.

Answer

Hi,

Thank you for reaching out to AWS re:Post. I understand you want documentation on a specific CVE (CVE-2021-28041).

From my investigation there are no AWS documentations on CVE-2021-28041. CVE-2021-28041 does not affect OpenSSH on Amazon Linux 2. The bug was introduced in OpenSSH 8.2 and since it has not been backported it would not affect earlier versions.

Unfortunately, there are no details on this particular CVE as of now. For further details on Amazon Linux 2 security and privacy events you can refer to the Amazon Linux Security Center [1]. Unfortunately, you would not be able to find any details regarding to your CVE here since it doesn’t pertain to Amazon Linux 2.

Please contact if you have any further questions, and feel free to reach out to us via a support case to facilitate a discussion on the specifics of your resources.

[1] Amazon Linux Security - https://alas.aws.amazon.com/

Linux 2 OpenSSH Failing Vulnerability Scan

Relevant content