Class org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider in Apache MINA SSHD <= 2.9.1 uses Java deserialization to load a serialized java.security.PrivateKey. The class is one of several implementations that an implementor using Apache MINA SSHD can choose for loading the host keys of an SSH server.
Fixes

Solution

No solution given by the vendor.


Workaround

For Apache MINA SSHD <= 2.9.1, do not use org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to generate and later load your server's host key. Use separately generated host key files, for instance in OpenSSH format, and load them via a org.apache.sshd.common.keyprovider.FileKeyPairProvider instead. Or use a custom implementation instead of SimpleGeneratorHostKeyProvider that uses the OpenSSH format for storing and loading the host key (via classes OpenSSHKeyPairResourceWriter and OpenSSHKeyPairResourceParser).

History

Tue, 25 Feb 2025 02:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat jboss Enterprise Application Platform Eus
CPEs cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7
cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7
Vendors & Products Redhat jboss Enterprise Application Platform Eus

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2024-08-03T14:01:31.528Z

Reserved: 2022-11-08T00:00:00

Link: CVE-2022-45047

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2022-11-16T09:15:14.320

Modified: 2024-11-21T07:28:40.453

Link: CVE-2022-45047

cve-icon Redhat

Severity : Important

Publid Date: 2022-11-16T00:00:00Z

Links: CVE-2022-45047 - Bugzilla

cve-icon OpenCVE Enrichment

No data.