Описание
Class org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider in Apache MINA SSHD <= 2.9.1 uses Java deserialization to load a serialized java.security.PrivateKey. The class is one of several implementations that an implementor using Apache MINA SSHD can choose for loading the host keys of an SSH server.
A flaw was found in Apache MINA SSHD, when using Java deserialization to load a serialized java.security.PrivateKey. An attacker could benefit from unsafe deserialization by inserting unsecured data that may affect the application or server.
Отчет
Red Hat Impact as High as there's a mitigation for minimizing the impact which the flaw requires org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to be impacted, which would require an external/public API for an attacker to benefit from it. Red Hat Fuse 7 and Red Hat JBoss Enterprise Application Platform 7 have a lower rate (moderate) as it's very unlikely to be exploited since those are for internal usage or use a custom implementation in their case.
Меры по смягчению последствий
From the maintainer: For Apache MINA SSHD <= 2.9.1, do not use org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to generate and later load your server's host key. Use separately generated host key files, for instance in OpenSSH format, and load them via a org.apache.sshd.common.keyprovider.FileKeyPairProvider instead. Or use a custom implementation instead of SimpleGeneratorHostKeyProvider that uses the OpenSSH format for storing and loading the host key (via classes OpenSSHKeyPairResourceWriter and OpenSSHKeyPairResourceParser).
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Migration Toolkit for Applications 6 | mina-sshd | Affected | ||
| Migration Toolkit for Runtimes | mina-sshd | Affected | ||
| Red Hat AMQ Broker 7 | sshd-common | Not affected | ||
| Red Hat build of Apache Camel for Spring Boot 3 | sshd-common | Not affected | ||
| Red Hat Fuse 7 | sshd-common | Affected | ||
| Red Hat Integration Camel K 1 | sshd-common | Not affected | ||
| Red Hat Integration Camel Quarkus 1 | sshd-common | Affected | ||
| Red Hat JBoss Data Grid 7 | mina-sshd | Out of support scope | ||
| Red Hat JBoss Enterprise Application Platform 6 | keycloak-adapter-sso7_5-eap6 | Out of support scope | ||
| Red Hat JBoss Enterprise Application Platform 6 | sshd-common | Out of support scope |
Показывать по
Дополнительная информация
Статус:
EPSS
9.8 Critical
CVSS3
Связанные уязвимости
Class org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider in Apache MINA SSHD <= 2.9.1 uses Java deserialization to load a serialized java.security.PrivateKey. The class is one of several implementations that an implementor using Apache MINA SSHD can choose for loading the host keys of an SSH server.
Class org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvide ...
Уязвимость класса org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider java-библиотеки для поддержки SSH-протоколов Apache SSHD, позволяющая нарушителю выполнить произвольный код
EPSS
9.8 Critical
CVSS3