As confirmed by the Engineering team, if NetScaler SDX is running on version 14.1-47.46, then the XenServer OpenSSH CVE is a false positive.

Environment Details:

NetScaler SDX (15000-50G): 14.1 47.46
XenServer 8
Kernal Version: 4.19.0+1
Platform: 14.1.0-421

The OpenSSH CVE-2019-6109 and CVE-2019-6111 flagged for SDX XenServer.

The NetScaler SDX GUI is on 14.1-47.46 version and XenServer version is 8, but when we check OpenSSH version in XenServer we see the below output:

[nsroot@netscaler-sdx ~]$ ssh -V
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017