Regresshion vulnerability: Recommended actions and steps we’ve taken


DigitalOcean is aware of a new security issue with OpenSSH (sshd) that was released yesterday under the title “regresshion” or CVE-2024-6387. This vulnerability appears to allow an attacker to gain remote root access on vulnerable Linux systems running OpenSSH. However, there are some important caveats. Notably, the exploit requires winning a race condition which can take several hours.

We are asking our customers to upgrade SSHD on their Droplets. If customers are running their own SSHD servers as part of a containerized workload (e.g., SSHD inside a Kubernetes pod) you should upgrade that service and relaunch the workload. Instructions can be found below for how to update SSHD on Dropets.

The table below lists the Security Notices published for each DigitalOcean provided distribution:

As part of our shared responsibility model, we are taking several actions in response to this vulnerability, which are outlined below.

Product Status Instructions
App Platform Not Affected No action needed
Container Registry Not Affected No action needed
Droplet Affected Customer needs to upgrade openssh-server and openssh-client. Instructions below. DigitalOcean has patched Droplet Base Images for new deployments
Functions Not Affected No action needed
Kubernetes Affected Port 22 is disabled on cluster nodes by default, but customers may have enabled it. Customers can apply a cluster upgrade or wait for their regular maintenance window which will apply the patch.
Load Balancers Not Affected No action needed
Managed Databases Affected DigitalOcean has patched
Monitoring Not Affected No action needed
Networking Not Affected No action needed
Spaces Not Affected No action needed
Spaces CDN Not Affected No action needed
Volumes Not Affected No action needed
VPC Not Affected No action needed

Additionally, DigitalOcean is taking action to ensure the version of OpenSSH used across its internal environment is patched.

Customer managed Droplets

Source link