Recently moved to Rocky 9 and my vulnerability scanner is flagging up false positives due to it only looking at the banner of OpenSSH and OpenSSL and creating an alert of each vulnerability which applies to OpenSSH 8.7 and OpenSSL 3.0.7.
I have been able to identify these false positives by looking through the changelog and seeing CVE reference is resolved, but the few I have listed below are not showing within the changelog so I am wondering if they are impacting my Rocky 9 installation or if they have also been resolved.
The problem is your vulnerability scanner is reporting the wrong results for a system it doesn’t seem to recognise properly. I would suggest reporting the inaccuracies to the vendor of your vulnerability scanner.
Such inaccuracies will always exist due to Red Hat backporting security fixes, such that version announced by sshd doesn’t match the actual upstream state.
For details, see Security Backporting Practice - Red Hat Customer Portal
One can get more accurate scans of RHEL derivatives if using e.g. OpenSCAP with OVAL, which is what most solid security scanners use. However, that requires SSH access.
