Amazon Linux 2 is closely related to CentOS 7 which is the open source rebranding of RedHat Enterprise Linux 7.
Since RHEL likes to use stable packages, they usually take it upon themselves to make sure that the versions of software they use get all of the important security updates of later releases.
This can be seen in any RPM package using the --changelog query option of rpm command. The output is quite long, so we will limit the output with a grep for CVE's after 2000:
rpm -q --changelog openssh | grep CVE-20
In the case of the most recent release of openssh-7.4p1, I can see that CVE-2021-41617 from your list has been addressed with a fix on September 30 2021. If you are asking "what was the fix for that CVE?" or "what about the other CVEs in the list?", you can find such answers in the RHEL documentation for CVEs
If you look at CVE-2020-15778, CVE-2019-6109, and CVE-2019-6110 they are listed as "will not fix" and give reasoning why a fix will not be provided.
These types of security scans usually only look at the version number of installed software and compare that with a catalog of known CVEs but do not attempt to discover if the software is actually affected by any of those vulnerabilities. If you are using an in-support, up-to-date distribution, chances are any major vulnerabilities have been or will be fixed.
rpm -qa | grep openssh-7.4p1? – Thegs May 16 '23 at 19:54rpm yum dnfetc) changes to reflect these patches, but the version string in the source and compiled code remains the same as upstream, and that's the version seen by an external scanner and used to make incorrect vulnerability assessments. – dave_thompson_085 May 17 '23 at 00:54