Scalingo is aware of the recently reported issue regarding OpenSSH (CVE-2024-6387).

This vulnerability allows an unauthenticated attacker to remotely execute arbitrary code with root privileges.

OpenSSH is not used in our PaaS and DBaaS environments. The Scalingo infrastructure servers have been patched.

The editor specifies that versions 8.5p1 to 9.7p1 are confirmed vulnerable on 32-bit Linux systems with glibc and ASLR enabled. Scalingo does not deploy 32 bit systems.

The editor adds that exploitation on 64-bit systems or without glibc seems possible, but has not been demonstrated.

Action required

None

Scalingo PaaS

Scalingo Platform-As-A-Service is not impacted.

Scalingo DBaaS addons

Scalingo Database-As-A-Service Elasticsearch is not impacted.

Other Scalingo addons and services

Scalingo internal systems were potentially vulnerable but the affected servers have been patched

Changelog

2024-07-23 : Initial version