Zhang Zewei

**Name of the Vulnerable Software and Affected Versions** Apache MINA SSHD versions <= 2.9.1 **Description** The issue is related to the class org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider in Apache MINA SSHD, which uses Java deserialization to load a serialized java.security.PrivateKey. This can allow a remote attacker to execute arbitrary code. The class is one of several implementations that can be chosen for loading the host keys of an SSH server. **Recommendations** For Apache MINA SSHD versions <= 2.9.1, consider updating to a version greater than 2.9.1 to resolve the issue. As a temporary workaround, consider restricting the use of the SimpleGeneratorHostKeyProvider class until a patch is available. Avoid using the Java deserialization mechanism to load serialized java.security.PrivateKey objects in the affected class.