[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2022-45047: Apache MINA SSHD: Java unsafe deserialization vulnerability
From:       Thomas Wolf <twolf () apache ! org>
Date:       2022-11-15 23:08:17
Message-ID: 9de91c88-8c85-77d2-8846-07244ed4630e () apache ! org
[Download RAW message or body]

Severity: important

Description:

Class org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider in Apache MINA SSHD <= \
2.9.1 uses Java deserialization to load a serialized java.security.PrivateKey. The class is one \
of several implementations that an implementor using Apache MINA SSHD can choose for loading \
the host keys of an SSH server.

Mitigation:

For Apache MINA SSHD <= 2.9.1, do not use \
org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to generate and later load \
your server's host key. Use separately generated host key files, for instance in OpenSSH \
format, and load them via a org.apache.sshd.common.keyprovider.FileKeyPairProvider instead. Or \
use a custom implementation instead of SimpleGeneratorHostKeyProvider that uses the OpenSSH \
format for storing and loading the host key (via classes OpenSSHKeyPairResourceWriter and \
OpenSSHKeyPairResourceParser).

The issue was fixed in Apache MINA SSHD 2.9.2. 

Credit:

The Apache MINA SSHD team would like to thank Zhang Zewei, NOFOCUS, for reporting this issue.


[prev in list] [next in list] [prev in thread] [next in thread]