Vulnerable SSHD found: YES (SSHD linked with LZMA)

[the-d3m3nt0r]

I use RHEL 9.1 and I am aware that the RHEL is not susceptible to CVE-2024-3094 but when I run the CVE Detector i get these below results

XZ vulnerable version: NO (5.2.5)
LZMA vulnerable version: NO
SSHD found in the system: YES (/usr/sbin/sshd)
SSHD linked with LZMA: YES ( /Iib64/IibIzma. so . 5)

• Malicious XZ/LZMA found: NO
• Vulnerable SSHD found: YES (SSHD linked with LZMA)
• Conclusion: NOT VULNERABLE TO CVE-2024-3094

May I know the reason behind this verdict, how does this detector classifies the SSHD is vulnerable?
If it is vulnerable, how to patch or update the SSHD in RHEL 9.

[jonathanssjfrog]

Thank you for bringing this issue to our attention. I've reviewed the information you provided, and I can confirm the following:
First, please update the script to use the newest version, which includes improved messaging to provide clearer output. This ensures we have the most accurate and informative data to work with.
Second, the script correctly detected that the SSHD service on your system has a dependency on the LZMA library. However, the script confirmed that the specific LZMA version installed does not contain the malicious payload associated with the reported CVE. The output message "Malicious XZ/LZMA Found: NO" clearly indicates that the LZMA library on your system is not the malicious version.
Finally, this means that even though the SSHD service has a dependency on LZMA (which can be added to SSHD by other services), your system is not actually vulnerable to the CVE in question.