We are running R82 with JHFA10 and when we ran a scan against this, was surprised it picked up OpenSSH CVE's from 2018, and 2019 (They are listed in SK65269).

I raised a TAC case and was told this is not a TAC issue.  Well CVE's from 2018/2019 on the latest build..hmm I don't think there is an excuse as to why OpenSSH has not been updated to resolve these issues, any chance we can get an update as to when OpenSSH is going to be updated to non-vulnerable version?

That's more an issue with vulnerability scanners being terrible wastes of money. 😜 I keep getting scan results saying systems are vulnerable to CVE-2023-48795, which is categorically not a vulnerability on versions of OpenSSH before 9.5. They basically look at the version in the service banner, ignore it, and report every CVE which has ever existed for the application, no matter whether it represents an actual vulnerability in that environment or not.

I agree - pen test reports never seem to actually indicate what was required in order to actually get to the point they could scan the device.
So it could be a critical vulnerability but the probability of exploit is low due to the layer of security that had to be bypassed in order to reach that point.

That said my comments are coming from the fact the SK from Checkpoint indicates the issue has not been fixed because they believe its a low priority (since 2019!).

If you look at the CVSS scores for the CVEs, they rate between 3.1 and 5.3 (out of 10).
At best they are "low to medium" severity CVEs that require a privileged user on the platform to access a malicious SCP server to be exploited.
This is likely why we have made the determination this is relatively low risk.

I assume we will fix this once the underlying component is updated to a different version, which most likely won't happen outside of a new release.

Thanks.