The recent security vulnerability in OpenSSH – nicknamed RegreSSHion for good reason – is already patched in Flownative Beach.

The issue, assigned the CVE-2024-6387 and published on July 1st, is rated with a score of 8.1 out of  10. So we understand our customers are worried about a potential impact on our Flownative Beach cloud hosting.

The issue in two sentences: There is a race condition which can lead to the SSH server to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time period.

In practice it takes at least 6-8 hours to exploit the issue. Time that is wasted at our Beach…

The vulnerability was announced on July 1st, our nightly builds included the patched versions released that day. So yesterday, on July 2nd, our SSH gateway was already fixed and secured.

In Flownative Beach, every instance has a second SSH server. To update that, you can simply trigger a deployment and you will get the up-to-date version of the used container software. Even if you still run the older SSH version in your instance's "private SSH server", that is only accessible if you already authenticated against our (already patched) gateway.

Rest assured, this issue is fixed in Flownative Beach. 🩹