PT-2022-7177 · Apache+1 · Apache Mina Sshd+1

Zhang Zewei

Published

2022-11-15

Updated

2024-06-15

CVE-2022-45047

CVSS v2.0

Critical

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Apache MINA SSHD versions <= 2.9.1

Description The issue is related to the class org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider in Apache MINA SSHD, which uses Java deserialization to load a serialized java.security.PrivateKey. This can allow a remote attacker to execute arbitrary code. The class is one of several implementations that can be chosen for loading the host keys of an SSH server.

Recommendations For Apache MINA SSHD versions <= 2.9.1, consider updating to a version greater than 2.9.1 to resolve the issue. As a temporary workaround, consider restricting the use of the SimpleGeneratorHostKeyProvider class until a patch is available. Avoid using the Java deserialization mechanism to load serialized java.security.PrivateKey objects in the affected class.

Fix

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-502

Related Identifiers

BDU:2023-08649

CVE-2022-45047

GHSA-FHW8-8J55-VWGQ

OESA-2022-2119

OPENSUSE-SU-2024:12511-1

OPENSUSE-SU-2024_0224-1

RHSA-2023:0074

RHSA-2023:0552

RHSA-2023:0553

RHSA-2023:0554

RHSA-2023:0560

RHSA-2023:0777

RHSA-2023:1043

RHSA-2023:1044

RHSA-2023:1045

RHSA-2023:1064

RHSA-2023:3198

RHSA-2025:1746

RHSA-2025:1747

SUSE-SU-2024:0224-1

SUSE-SU-2024_0224-1

Affected Products

Apache Mina Sshd

Suse

PT-2022-7177 · Apache+1 · Apache Mina Sshd+1

CVE-2022-45047

Weakness Enumeration

Related Identifiers

Affected Products

References · 24