We have a GitLab instance visible to public Internet, and it’s getting alerts on the two vulnerabilities below, related to port 22 with old SSH version. However, OS consider the two vulnerabilities as low impact and has not released an upgrade yet for the newer OpenSSH version. I’m wondering if there is a way to:
- Still maintain git access by SSH, but avoid getting discovery scanning on port 22.
- How did gitlab.com resolve this issue? Is there suggestion we can follow?
Or, any other advice will be highly appreciated.
The two vulnerabilities are:
Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states ‘We understand that the OpenSSH developers do not want to treat such a username enumeration (or “oracle”) as a vulnerability.’
The process_open function in sftp-server.c in OpenSSH before 7.6 does not properly prevent write operations in readonly mode, which allows attackers to create zero-length files.