mjhjmtu

I am using OpenSSH version 7.4p1, in CVE database I found that cpe:/a:openbsd:openssh:7.4:p1 is vulnerable to CVE-2017-15906 https://www.cvedetails.com/cve/CVE-2017-15906/.

Does this mean that for sure my version is affected or is it possible that this version has the same number but is already patched? How can I verify this?

CentOS is just rebuilt RHEL so your system is safe, if you updated to openssh-7.4p1-16.el7 or similar that is shipped in CentOS 7.

There is CVE database in Red Hat access portal:

https://access.redhat.com/security/cve/cve-2017-15906

With links to the erratas fixing the issues and with listing of packages fixing the specific issue:

https://access.redhat.com/errata/RHSA-2018:0980

Similarly you can get the changelog of your installed package and it should list something related to this CVE number.

Discaimer: I was fixing that package in this RHEL version.

Got fixed in 7.4p1-16, way back in November 2017.

$ rpm -q openssh-server
openssh-server-7.4p1-16.el7.x86_64
$ rpm -q --changelog openssh-server | grep CVE-2017-15906
- Fix for CVE-2017-15906 (#1517226)
$ rpm -q --changelog openssh-server | head
* Fri Nov 24 2017 Jakub Jelen <jjelen@redhat.com> - 7.4p1-16 + 0.10.3-2
- Fix for CVE-2017-15906 (#1517226)

* Mon Nov 06 2017 Jakub Jelen <jjelen@redhat.com> - 7.4p1-15 + 0.10.3-2
- Do not hang if SSH AuthorizedKeysCommand output is too large (#1496467)
- Do not segfault pam_ssh_agent_auth if keyfile is missing (#1494268)
- Do not segfault in audit code during cleanup (#1488083)
- Add WinSCP 5.10+ compatibility (#1496808)
- Clatch between ClientAlive and rekeying timeouts (#1480510)
- Exclude dsa and ed25519 from default proposed keys in FIPS mode (#1456853)
$

OpenSSH 7.4p1 is affected by CVE-2017-15906.

... unless the distributor of that OpenSSH package has patched it.

An example of a distributor patching this particular CVE in an affected OpenSSH package may be found in this changelog entry for 7.5p1 on Ubuntu (they have not distributed a patched 7.4p1 as far as I could see after only a brief look):

openssh (1:7.5p1-10ubuntu0.1) artful-security; urgency=medium
 * SECURITY UPDATE: DoS via zero-length file creation in readonly mode
 - debian/patches/CVE-2017-15906.patch: disallow creation of empty files
 in sftp-server.c.
 - CVE-2017-15906

 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 16 Jan 2018 08:28:47 -0500

Similarly for Fedora (7.4p1).

Unfortunately, CentOS does not seem to have an easily accessible database of package updates (that I could find).

According to the bugzilla the security bug is fixed on the 7.6 version for the system based on RHEL 7:

Fixed In Version: openssh 7.6

The description on RHEL CVE-2017-15906

The process_open function in sftp-server.c in OpenSSH before 7.6 does not properly prevent write operations in readonly mode, which allows attackers to create zero-length files.

Also this information is available on the openssh 7.6 release note

Changes since OpenSSH 7.5

Security

• sftp-server(8): in read-only mode, sftp-server was incorrectly
  permitting creation of zero-length files. Reported by Michal
  Zalewski.

The bug is fixed on 10 Apr 2018 for the openssh-7.4p1 : openssh security, bug fix, and enhancement update