CVE-2022-45047: Apache MINA SSHD: Java unsafe deserialization vulnerability
First published: Wed Nov 16 2022(Updated: )
A flaw was found in Apache MINA SSHD, when using Java deserialization to load a serialized java.security.PrivateKey. An attacker could benefit from unsafe deserialization by inserting unsecured data that may affect the application or server.
Credit: security@apache.org security@apache.org security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/org.apache.sshd:sshd-core | <2.1.0 | 2.9.2 |
| maven/org.apache.sshd:sshd-common | <2.9.2 | 2.9.2 |
| redhat/jenkins | <2-plugins-0:4.11.1683009941-1.el8 | 2-plugins-0:4.11.1683009941-1.el8 |
| redhat/jenkins | <2-plugins-0:4.12.1675702407-1.el8 | 2-plugins-0:4.12.1675702407-1.el8 |
| redhat/eap7-apache-sshd | <0:2.9.2-1.redhat_00001.1.el8ea | 0:2.9.2-1.redhat_00001.1.el8ea |
| redhat/eap7-apache-sshd | <0:2.9.2-1.redhat_00001.1.el9ea | 0:2.9.2-1.redhat_00001.1.el9ea |
| redhat/eap7-apache-sshd | <0:2.9.2-1.redhat_00001.1.el7ea | 0:2.9.2-1.redhat_00001.1.el7ea |
| redhat/jenkins | <2-plugins-0:4.10.1675144701-1.el8 | 2-plugins-0:4.10.1675144701-1.el8 |
| redhat/jenkins | <2-plugins-0:4.9.1675668922-1.el8 | 2-plugins-0:4.9.1675668922-1.el8 |
| redhat/rh-sso7-keycloak | <0:18.0.6-1.redhat_00001.1.el7 | 0:18.0.6-1.redhat_00001.1.el7 |
| redhat/rh-sso7-keycloak | <0:18.0.6-1.redhat_00001.1.el8 | 0:18.0.6-1.redhat_00001.1.el8 |
| redhat/rh-sso7-keycloak | <0:18.0.6-1.redhat_00001.1.el9 | 0:18.0.6-1.redhat_00001.1.el9 |
| redhat/vdsm | <0:4.50.3.6-1.el8e | 0:4.50.3.6-1.el8e |
| redhat/apache-sshd | <1:2.9.2-0.1.el8e | 1:2.9.2-0.1.el8e |
| Apache Sshd | <=2.9.1 | |
| redhat/sshd | <2.9.2 | 2.9.2 |
Remedy
From the maintainer: For Apache MINA SSHD <= 2.9.1, do not use org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to generate and later load your server's host key. Use separately generated host key files, for instance in OpenSSH format, and load them via a org.apache.sshd.common.keyprovider.FileKeyPairProvider instead. Or use a custom implementation instead of SimpleGeneratorHostKeyProvider that uses the OpenSSH format for storing and loading the host key (via classes OpenSSHKeyPairResourceWriter and OpenSSHKeyPairResourceParser).
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2022-45047
- https://www.mail-archive.com/dev@mina.apache.org/msg39312.html
- https://github.com/apache/mina-sshd/commit/03238d51586f6b3c0bdbb1a23cf16799344d6c32
- https://github.com/apache/mina-sshd/commit/5a8fe830b2a2308a2b24ac8115a391af477f64f5
- https://github.com/apache/mina-sshd/commit/10de190e7d3f9189deb76b8d08c72334a1fe2df0
- https://github.com/advisories/GHSA-fhw8-8j55-vwgq (Advisory)
- https://www.cve.org/CVERecord?id=CVE-2022-45047 https://nvd.nist.gov/vuln/detail/CVE-2022-45047 https://www.mail-archive.com/dev@mina.apache.org/msg39312.html
- https://bugzilla.redhat.com/show_bug.cgi?id=2145194
- https://access.redhat.com/errata/RHSA-2023:3198
- https://access.redhat.com/errata/RHSA-2023:1064
- https://access.redhat.com/errata/RHSA-2023:0758
- https://access.redhat.com/errata/RHSA-2022:8957
- https://access.redhat.com/errata/RHSA-2023:0713
- https://access.redhat.com/errata/RHSA-2023:5396
- https://access.redhat.com/errata/RHSA-2023:0556
- https://access.redhat.com/errata/RHSA-2023:0553
- https://access.redhat.com/errata/RHSA-2023:0554
- https://access.redhat.com/errata/RHSA-2023:0552
- https://access.redhat.com/errata/RHSA-2023:0560
- https://access.redhat.com/errata/RHSA-2023:0777
- https://access.redhat.com/errata/RHSA-2023:1049
- https://access.redhat.com/errata/RHSA-2023:1043
- https://access.redhat.com/errata/RHSA-2023:1044
- https://access.redhat.com/errata/RHSA-2023:1045
- https://access.redhat.com/errata/RHSA-2023:0074
- https://access.redhat.com/errata/RHSA-2023:1047
- https://access.redhat.com/errata/RHSA-2023:3641
- https://access.redhat.com/errata/RHSA-2023:4983
- https://access.redhat.com/security/cve/cve-2022-45047
- https://security.netapp.com/advisory/ntap-20240216-0008/
- https://www.mail-archive.com/dev%40mina.apache.org/msg39312.html
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2145200
- https://access.redhat.com/errata/RHSA-2023:6172
- https://access.redhat.com/errata/RHSA-2024:5406
- https://access.redhat.com/errata/RHSA-2024:5411
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2022-45047?
CVE-2022-45047 is a vulnerability found in Apache MINA SSHD that allows for arbitrary code execution.
How severe is CVE-2022-45047?
CVE-2022-45047 has a severity rating of critical, with a CVSS score of 9.8.
What is the affected software for CVE-2022-45047?
The affected software for CVE-2022-45047 includes Apache MINA SSHD versions <= 2.9.1, org.apache.sshd:sshd-core version <= 2.1.0, and org.apache.sshd:sshd-common version <= 2.9.2.
How do I fix CVE-2022-45047?
To fix CVE-2022-45047, upgrade to Apache MINA SSHD 2.9.2 or later, org.apache.sshd:sshd-core 2.1.0 or later, or org.apache.sshd:sshd-common 2.9.2 or later.
Where can I find more information about CVE-2022-45047?
You can find more information about CVE-2022-45047 on the NIST NVD website, the Apache MINA SSHD mailing list, and the GitHub commit page.
- collector/github-advisory-latest
- alias/GHSA-fhw8-8j55-vwgq
- alias/CVE-2022-45047
- collector/github-advisory
- collector/redhat-cve
- collector/nvd-index
- collector/nvd-cve
- agent/author
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- agent/severity
- agent/remedy
- agent/weakness
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/references
- agent/title
- agent/event
- agent/tags
- collector/nvd-api
- source/NVD
- package-manager/maven
- package-manager/redhat
- vendor/apache
- canonical/apache sshd
- version/apache sshd/2.9.1