First published: Wed Nov 16 2022(Updated: )
A flaw was found in Apache MINA SSHD, when using Java deserialization to load a serialized java.security.PrivateKey. An attacker could benefit from unsafe deserialization by inserting unsecured data that may affect the application or server.
Credit: security@apache.org security@apache.org security@apache.org
Affected Software | Affected Version | How to fix |
---|---|---|
maven/org.apache.sshd:sshd-core | <2.1.0 | 2.9.2 |
maven/org.apache.sshd:sshd-common | <2.9.2 | 2.9.2 |
redhat/jenkins | <2-plugins-0:4.11.1683009941-1.el8 | 2-plugins-0:4.11.1683009941-1.el8 |
redhat/jenkins | <2-plugins-0:4.12.1675702407-1.el8 | 2-plugins-0:4.12.1675702407-1.el8 |
redhat/eap7-apache-sshd | <0:2.9.2-1.redhat_00001.1.el8ea | 0:2.9.2-1.redhat_00001.1.el8ea |
redhat/eap7-apache-sshd | <0:2.9.2-1.redhat_00001.1.el9ea | 0:2.9.2-1.redhat_00001.1.el9ea |
redhat/eap7-apache-sshd | <0:2.9.2-1.redhat_00001.1.el7ea | 0:2.9.2-1.redhat_00001.1.el7ea |
redhat/jenkins | <2-plugins-0:4.10.1675144701-1.el8 | 2-plugins-0:4.10.1675144701-1.el8 |
redhat/jenkins | <2-plugins-0:4.9.1675668922-1.el8 | 2-plugins-0:4.9.1675668922-1.el8 |
redhat/rh-sso7-keycloak | <0:18.0.6-1.redhat_00001.1.el7 | 0:18.0.6-1.redhat_00001.1.el7 |
redhat/rh-sso7-keycloak | <0:18.0.6-1.redhat_00001.1.el8 | 0:18.0.6-1.redhat_00001.1.el8 |
redhat/rh-sso7-keycloak | <0:18.0.6-1.redhat_00001.1.el9 | 0:18.0.6-1.redhat_00001.1.el9 |
redhat/vdsm | <0:4.50.3.6-1.el8e | 0:4.50.3.6-1.el8e |
redhat/apache-sshd | <1:2.9.2-0.1.el8e | 1:2.9.2-0.1.el8e |
Apache Sshd | <=2.9.1 | |
redhat/sshd | <2.9.2 | 2.9.2 |
<=2.9.1 |
From the maintainer: For Apache MINA SSHD <= 2.9.1, do not use org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to generate and later load your server's host key. Use separately generated host key files, for instance in OpenSSH format, and load them via a org.apache.sshd.common.keyprovider.FileKeyPairProvider instead. Or use a custom implementation instead of SimpleGeneratorHostKeyProvider that uses the OpenSSH format for storing and loading the host key (via classes OpenSSHKeyPairResourceWriter and OpenSSHKeyPairResourceParser).
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
CVE-2022-45047 is a vulnerability found in Apache MINA SSHD that allows for arbitrary code execution.
CVE-2022-45047 has a severity rating of critical, with a CVSS score of 9.8.
The affected software for CVE-2022-45047 includes Apache MINA SSHD versions <= 2.9.1, org.apache.sshd:sshd-core version <= 2.1.0, and org.apache.sshd:sshd-common version <= 2.9.2.
To fix CVE-2022-45047, upgrade to Apache MINA SSHD 2.9.2 or later, org.apache.sshd:sshd-core 2.1.0 or later, or org.apache.sshd:sshd-common 2.9.2 or later.
You can find more information about CVE-2022-45047 on the NIST NVD website, the Apache MINA SSHD mailing list, and the GitHub commit page.