CVE-2017-15906
First published: Wed Oct 25 2017(Updated: )
The process_open function in sftp-server.c in OpenSSH before 7.6 does not properly prevent write operations in readonly mode, which allows attackers to create zero-length files.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/openssh | <7.6 | 7.6 |
| Openbsd Openssh | <7.6 | |
| Oracle Sun Zfs Storage Appliance Kit | =8.8.6 | |
| Debian Debian Linux | =8.0 | |
| Netapp Active Iq Unified Manager Vmware Vsphere | ||
| Netapp Cloud Backup | ||
| NetApp Clustered Data ONTAP | ||
| Netapp Data Ontap Edge | ||
| Netapp Hci Management Node | ||
| NetApp OnCommand Unified Manager Core Package | ||
| Netapp Solidfire | ||
| Netapp Steelstore Cloud Integrated Storage | ||
| Netapp Storage Replication Adapter For Clustered Data Ontap Vmware Vsphere | >=9.7 | |
| Netapp Storage Replication Adapter For Clustered Data Ontap Vmware Vsphere | =9.6 | |
| Netapp Vasa Provider For Clustered Data Ontap | >=6.0<=6.2 | |
| Netapp Vasa Provider For Clustered Data Ontap | >=9.7 | |
| Netapp Virtual Storage Console Vmware Vsphere | >=9.7 | |
| Netapp Virtual Storage Console Vmware Vsphere | =9.6 | |
| All of | ||
| Netapp Cn1610 Firmware | ||
| Netapp Cn1610 | ||
| Redhat Enterprise Linux Desktop | =7.0 | |
| Redhat Enterprise Linux Eus | =7.6 | |
| Redhat Enterprise Linux Eus | =7.7 | |
| Redhat Enterprise Linux Server | =7.0 | |
| Redhat Enterprise Linux Server Aus | =7.6 | |
| Redhat Enterprise Linux Server Aus | =7.7 | |
| Redhat Enterprise Linux Server Tus | =7.6 | |
| Redhat Enterprise Linux Server Tus | =7.7 | |
| Redhat Enterprise Linux Workstation | =7.0 | |
| Netapp Cn1610 Firmware | ||
| Netapp Cn1610 | ||
| debian/openssh | 1:8.4p1-5+deb11u3 1:9.2p1-2+deb12u2 1:9.2p1-2+deb12u3 1:9.8p1-2 | |
| ubuntu/openssh | <1:7.5 | 1:7.5 |
| ubuntu/openssh | <1:7.6 | 1:7.6 |
| ubuntu/openssh | <1:7.6 | 1:7.6 |
| ubuntu/openssh | <1:7.6 | 1:7.6 |
| ubuntu/openssh | <1:7.6 | 1:7.6 |
| ubuntu/openssh | <1:7.6 | 1:7.6 |
| ubuntu/openssh | <1:7.6 | 1:7.6 |
| ubuntu/openssh | <1:7.6 | 1:7.6 |
| ubuntu/openssh | <1:6.6 | 1:6.6 |
| ubuntu/openssh | <1:7.6 | 1:7.6 |
| ubuntu/openssh | <1:7.2 | 1:7.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/openbsd/src/commit/a6981567e8e215acc1ef690c8dbb30f2d9b00a19
- https://www.openssh.com/txt/release-7.6
- https://security.gentoo.org/glsa/201801-05
- http://www.securityfocus.com/bid/101552
- https://access.redhat.com/errata/RHSA-2018:0980
- https://security.netapp.com/advisory/ntap-20180423-0004/
- https://lists.debian.org/debian-lts-announce/2018/09/msg00010.html
- https://www.oracle.com/security-alerts/cpujan2020.html
- https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf
- https://launchpad.net/bugs/cve/CVE-2017-15906
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1506631
- https://bugzilla.redhat.com/show_bug.cgi?id=1506630
- https://security-tracker.debian.org/tracker/CVE-2017-15906
- https://ubuntu.com/security/notices/USN-3538-1
- https://xorl.wordpress.com/2017/11/13/openssh-sftp-server-remote-security-vulnerability/
- https://www.cve.org/CVERecord?id=CVE-2017-15906
- https://nvd.nist.gov/vuln/detail/CVE-2017-15906
- https://ubuntu.com/security/CVE-2017-15906
- agent/type
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- agent/author
- agent/weakness
- agent/severity
- agent/remedy
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2017-15906
- agent/software-canonical-lookup
- agent/description
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-index
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- collector/usn-cve
- source/Ubuntu
- agent/references
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- agent/tags
- agent/event
- package-manager/redhat
- vendor/openbsd
- canonical/openbsd openssh
- vendor/oracle
- canonical/oracle sun zfs storage appliance kit
- version/oracle sun zfs storage appliance kit/8.8.6
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/8.0
- vendor/netapp
- canonical/netapp active iq unified manager vmware vsphere
- canonical/netapp cloud backup
- canonical/netapp clustered data ontap
- canonical/netapp data ontap edge
- canonical/netapp hci management node
- canonical/netapp oncommand unified manager core package
- canonical/netapp solidfire
- canonical/netapp steelstore cloud integrated storage
- canonical/netapp storage replication adapter for clustered data ontap vmware vsphere
- version/netapp storage replication adapter for clustered data ontap vmware vsphere/9.7
- version/netapp storage replication adapter for clustered data ontap vmware vsphere/9.6
- canonical/netapp vasa provider for clustered data ontap
- version/netapp vasa provider for clustered data ontap/6.0
- version/netapp vasa provider for clustered data ontap/6.2
- version/netapp vasa provider for clustered data ontap/9.7
- canonical/netapp virtual storage console vmware vsphere
- version/netapp virtual storage console vmware vsphere/9.7
- version/netapp virtual storage console vmware vsphere/9.6
- canonical/netapp cn1610 firmware
- canonical/netapp cn1610
- vendor/redhat
- canonical/redhat enterprise linux desktop
- version/redhat enterprise linux desktop/7.0
- canonical/redhat enterprise linux eus
- version/redhat enterprise linux eus/7.6
- version/redhat enterprise linux eus/7.7
- canonical/redhat enterprise linux server
- version/redhat enterprise linux server/7.0
- canonical/redhat enterprise linux server aus
- version/redhat enterprise linux server aus/7.6
- version/redhat enterprise linux server aus/7.7
- canonical/redhat enterprise linux server tus
- version/redhat enterprise linux server tus/7.6
- version/redhat enterprise linux server tus/7.7
- canonical/redhat enterprise linux workstation
- version/redhat enterprise linux workstation/7.0
- package-manager/ubuntu
- package-manager/debian