Security Bulletin: IBM Fusion HCI is vulnerable to Authorization Bypass due to Golang x/crypto (CVE-2024-45337, CVE-2025-22869)

Summary IBM Fusion HCI includes, but does not run or call, an SSH Server that is part of the Golang x/crypto module. This SSH Server is vulnerable to Denial of Service and Authorization Bypass. (CVE-2024-45337, CVE-2025-22869) Vulnerability Details CVEID:CVE-2025-22869 DESCRIPTION: SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted. CWE:CWE-770: Allocation of Resources Without Limits or Throttling CVSS Source: CISA ADP CVSS Base score: 7.5 CVSS Vector:(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVEID:CVE-2024-45337 DESCRIPTION: Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make…Read More