VMware vSphere and security scan false positives on OpenSSH vulnerabilities
This is something that we get on a regular basis from the security team. When doing their regular security scans for compliance and vulnerabilities I always get a long list of ESX hosts. The scans normally come back and complain about an OpenSSH x11 vulnerability or an OpenSSH Memory and Buffer Overflow.
These seem to be False positives from the tool being used to scan the hosts. We always make sure that we have installed the necessary updates related to OpenSSH as VMware releases them. But the tool always comes back with these issues. It seems to stem from the fact that the tool looks at OpenSSH in generic terms and assumes that all vendors implement it in the same way. From the documents listed below VMware indicates that since ESX 3.x VMware no longer included the x11 packages with their products. I would recommend that you make sure you are up to date on your patches and if the scans still come back dirty that you should discuss this results with the Application vendor that created the scanning tool. You might find out that this is common and they are just false positives.
About Brian Suhr
Brian is a VCDX5-DCV and a Sr. Tech Marketing Engineer at Nutanix and owner of this website. He is active in the VMware community and helps lead the Chicago VMUG group. Specializing in VDI and Cloud project designs. Awarded VMware vExpert status 6 years for 2016 - 2011. VCP3, VCP5, VCP5-Iaas, VCP-Cloud, VCAP-DTD, VCAP5-DCD, VCAP5-DCA, VCA-DT, VCP5-DT, Cisco UCS Design