Updated version of the check

This commit is contained in:
Eliezer Croitoru 2024-07-07 23:09:37 +03:00
parent a9ce0c5dd7
commit ca0f6e4fd0

View File

@ -38,14 +38,33 @@
- debug:
msg: "{{ openssh_version }}"
- name: Check if OpenSSH version is affected by CVE-2024-6387
- name: "Parse OpenSSH server version"
set_fact:
openssh_version_number: "{% set ver_num = openssh_version.split('p')[0] | int %}"
- debug:
msg: "{{ openssh_version_number }}"
- name: "Parse OpenSSH server version"
set_fact:
openssh_version_suffix: "{% set ver_suffix = openssh_version.split('p')[1] | int %}"
when: openssh_version | regex_search('p\d+$')
- name: "Some task that defines openssh_version_suffix (if needed)"
set_fact:
openssh_version_suffix: "p0"
when: openssh_version_suffix is undefined
- debug:
msg: "{{ openssh_version_suffix }}"
- name: "Check if OpenSSH version is affected by CVE-2024-6387"
set_fact:
is_vulnerable: >
{% set ver_num = openssh_version.split('p')[0] | int %}
{% set ver_suffix = openssh_version.split('p')[1] | int %}
{% if openssh_version in affected_versions or
(ver_num < min_safe_version.split('p')[0] | int) or
(ver_num == min_safe_version.split('p')[0] | int and ver_suffix < min_safe_version.split('p')[1] | int) %}
(ver_num < min_safe_version.split('p')[0] | int) or
(ver_num == min_safe_version.split('p')[0] | int and ver_suffix < min_safe_version.split('p')[1] | int) %}
true
{% else %}
false
@ -55,3 +74,7 @@
debug:
msg: >
OpenSSH version {{ openssh_version }} is {% if is_vulnerable %} ## vulnerable ## {% else %} not vulnerable {% endif %} to CVE-2024-6387.
- fail:
msg: "The server openssh version is vulnerable to CVE-2024-6387!!!"
when: is_vulnerable