OpenSSH is used by IBM i. IBM i has addressed the following vulnerabilities.
CVEID: CVE-2019-6109
DESCRIPTION: OpenSSH could allow a remote attacker to conduct spoofing attacks, caused by missing character encoding in the progress display. A man-in-the-middle attacker could exploit this vulnerability to spoof scp client output.
CVSS Base Score: 3.1
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/155488> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N)
CVEID:CVE-2019-6111
**DESCRIPTION:*OpenSSH could allow a remote attacker to overwrite arbitrary files on the system, caused by missing received object name validation by the scp client. The scp implementation accepts arbitrary files sent by the server and a man-in-the-middle attacker could exploit this vulnerability to overwrite unrelated files.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/155486> for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N)
CVEID:CVE-2018-20685
**DESCRIPTION:*OpenSSH could allow a remote attacker to bypass security restrictions, caused by directory name validation by scp.c in the scp client. A man-in-the-middle attacker could exploit this vulnerability using the filename of . or an empty filename to bypass access restrictions and modify permissions of the target directory.
CVSS Base Score: 7.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/155484> for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)
Releases 7.1, 7.2, and 7.3 of IBM i are affected.
The issue can be fixed by applying a PTF to IBM i.
Releases 7.1, 7.2, and 7.3 of IBM i are supported and will be fixed.
The IBM i PTF numbers are:
Release 7.1 – SI69329
Release 7.2 & 7.3 – SI69336
[https://www-945.ibm.com/support/fixcentral/](< https://www-945.ibm.com/support/fixcentral/>)
_Important note: _IBM recommends that all users running unsupported versions of affected products upgrade to supported and fixed version of affected products.
None