ArcATL
(Nick Pozza)
March 11, 2024, 7:01pm
1
We self host a server with Bitwarden and we have just recieved the following Alert CVE-2023-38408 Severity: 9.8
CORRECTIVE ACTION
Lock down configuration
NOTES
SSH must have password auth disabled and only accepting key based authentication
I have run the update script on the server and we are running bitwarden/setup 2024.2.3
Status: Image is up to date for bitwarden/setup:2024.2.3
docker.io/bitwarden/setup:2024.2.3
Please advise how to correct the issue.
grb
March 12, 2024, 1:07am
2
@ArcATL Welcome to the forum!
I’m no expert on self-hosting, but Googling the CVE in question suggests to me that you may need to upgrade your operating system… What operating system version are you running your server on?
ArcATL
(Nick Pozza)
March 12, 2024, 1:26am
3
the server is Ubuntu 20.04.2LTS. Logging into the server I do see 22.04.3 LTS is available. run ‘do-relese-upgrade’ to upgrade to it.
I will do a backup of the server but should be that simple to just run that command or anything else i should take into consideration with bitwarden?
grb
March 12, 2024, 1:37am
4
Like I said, this is out of my wheel-house.
But you may find some relevant information at the following two links:
Hello,
I'm trying to upgrade OpenSSH to 9.3.p2 on a number of Ubuntu Server 20.04 LTS VMs to avoid the exploit mentioned in CVE-2023-38408.
20.04 LTS seems to come packaged with OpenSSH_8.2p1 Ubuntu-4ubuntu0.3, OpenSSL 1.1.1f 31 Mar 2020.
...
ArcATL
(Nick Pozza)
March 12, 2024, 2:06am
5
Thank you for your assistance. After ready through some of those post. I did an apt-get update and upgrade and looks like I am on openssh-server 1:8.2p1-4ubuntu0.11. Server is still on 20.04.2 will see security scan can comes up clean now.
1 Like