{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-45047", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "dateUpdated": "2024-08-03T14:01:31.528Z", "dateReserved": "2022-11-08T00:00:00", "datePublished": "2022-11-16T00:00:00"}, "containers": {"cna": {"title": "Apache MINA SSHD: Java unsafe deserialization vulnerability", "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2024-02-16T13:06:09.825899"}, "descriptions": [{"lang": "en", "value": "Class org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider in Apache MINA SSHD <= 2.9.1 uses Java deserialization to load a serialized java.security.PrivateKey. The class is one of several implementations that an implementor using Apache MINA SSHD can choose for loading the host keys of an SSH server."}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache MINA SSHD", "versions": [{"version": "unspecified", "lessThanOrEqual": "2.9.1", "status": "affected", "versionType": "custom"}]}], "references": [{"url": "https://www.mail-archive.com/dev%40mina.apache.org/msg39312.html"}, {"url": "https://security.netapp.com/advisory/ntap-20240216-0008/"}], "credits": [{"lang": "en", "value": "The Apache MINA SSHD team would like to thank Zhang Zewei, NOFOCUS, for reporting this issue."}], "metrics": [{"other": {"type": "unknown", "content": {"other": "important"}}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-502 Deserialization of Untrusted Data", "cweId": "CWE-502"}]}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "source": {"discovery": "UNKNOWN"}, "workarounds": [{"lang": "en", "value": "For Apache MINA SSHD <= 2.9.1, do not use org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to generate and later load your server's host key. Use separately generated host key files, for instance in OpenSSH format, and load them via a org.apache.sshd.common.keyprovider.FileKeyPairProvider instead. Or use a custom implementation instead of SimpleGeneratorHostKeyProvider that uses the OpenSSH format for storing and loading the host key (via classes OpenSSHKeyPairResourceWriter and OpenSSHKeyPairResourceParser)."}, {"lang": "en", "value": "The issue was fixed in Apache MINA SSHD 2.9.2. "}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T14:01:31.528Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.mail-archive.com/dev%40mina.apache.org/msg39312.html", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20240216-0008/", "tags": ["x_transferred"]}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:sshd:*:*:*:*:*:*:*:*", "matchCriteriaId": "00D0F9FD-039D-4097-979B-9242276B1DD3", "versionEndIncluding": "2.9.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Class org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider in Apache MINA SSHD <= 2.9.1 uses Java deserialization to load a serialized java.security.PrivateKey. The class is one of several implementations that an implementor using Apache MINA SSHD can choose for loading the host keys of an SSH server."}, {"lang": "es", "value": "La clase org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider en Apache MINA SSHD anteriore a la versi\u00f3n 2.9.1 usa la deserializaci\u00f3n de Java para cargar una java.security.PrivateKey serializada. La clase es una de varias implementaciones que un implementador que usa Apache MINA SSHD puede elegir para cargar las claves de host de un servidor SSH."}], "id": "CVE-2022-45047", "lastModified": "2024-02-16T13:15:09.513", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-11-16T09:15:14.320", "references": [{"source": "security@apache.org", "url": "https://security.netapp.com/advisory/ntap-20240216-0008/"}, {"source": "security@apache.org", "url": "https://www.mail-archive.com/dev%40mina.apache.org/msg39312.html"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-502"}], "source": "security@apache.org", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2023:1064", "cpe": "cpe:/a:redhat:ocp_tools:4.12::el8", "package": "jenkins-2-plugins-0:4.12.1675702407-1.el8", "product_name": "OCP-Tools-4.12-RHEL-8", "release_date": "2023-03-06T00:00:00Z"}, {"advisory": "RHSA-2023:3198", "cpe": "cpe:/a:redhat:ocp_tools:4.11::el8", "package": "jenkins-2-plugins-0:4.11.1683009941-1.el8", "product_name": "OpenShift Developer Tools and Services for OCP 4.11", "release_date": "2023-05-17T00:00:00Z"}, {"advisory": "RHSA-2023:0758", "cpe": "cpe:/a:redhat:quarkus:2.13", "product_name": "Red Hat build of Quarkus", "release_date": "2023-02-14T00:00:00Z"}, {"advisory": "RHSA-2022:8957", "cpe": "cpe:/a:redhat:quarkus:2.7", "impact": "moderate", "package": "sshd-common", "product_name": "Red Hat build of Quarkus Platform 2.7.6.SP3", "release_date": "2022-12-13T00:00:00Z"}, {"advisory": "RHSA-2023:0713", "cpe": "cpe:/a:redhat:jboss_data_grid:8", "impact": "moderate", "package": "mina-sshd", "product_name": "Red Hat Data Grid 8.4.1", "release_date": "2023-02-09T00:00:00Z"}, {"advisory": "RHSA-2023:5396", "cpe": "cpe:/a:redhat:jboss_data_grid:8", "product_name": "Red Hat Data Grid 8.4.4", "release_date": "2023-09-28T00:00:00Z"}, {"advisory": "RHSA-2023:0556", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4", "impact": "moderate", "package": "sshd-common", "product_name": "Red Hat JBoss Enterprise Application Platform 7.1.0", "release_date": "2023-01-31T00:00:00Z"}, {"advisory": "RHSA-2023:0553", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "impact": "moderate", "package": "eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "release_date": "2023-01-31T00:00:00Z"}, {"advisory": "RHSA-2023:0554", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "impact": "moderate", "package": "eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "release_date": "2023-01-31T00:00:00Z"}, {"advisory": "RHSA-2023:0552", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "impact": "moderate", "package": "eap7-apache-sshd-0:2.9.2-1.redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", "release_date": "2023-01-31T00:00:00Z"}, {"advisory": "RHSA-2023:0560", "cpe": "cpe:/a:redhat:openshift:4.10::el8", "package": "jenkins-2-plugins-0:4.10.1675144701-1.el8", "product_name": "Red Hat OpenShift Container Platform 4.10", "release_date": "2023-02-08T00:00:00Z"}, {"advisory": "RHSA-2023:0777", "cpe": "cpe:/a:redhat:openshift:4.9::el8", "package": "jenkins-2-plugins-0:4.9.1675668922-1.el8", "product_name": "Red Hat OpenShift Container Platform 4.9", "release_date": "2023-02-23T00:00:00Z"}, {"advisory": "RHSA-2023:1049", "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7.6", "package": "sshd-common", "product_name": "Red Hat Single Sign-On 7", "release_date": "2023-03-01T00:00:00Z"}, {"advisory": "RHSA-2023:1043", "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7.6::el7", "package": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso", "product_name": "Red Hat Single Sign-On 7.6 for RHEL 7", "release_date": "2023-03-01T00:00:00Z"}, {"advisory": "RHSA-2023:1044", "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7.6::el8", "package": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso", "product_name": "Red Hat Single Sign-On 7.6 for RHEL 8", "release_date": "2023-03-01T00:00:00Z"}, {"advisory": "RHSA-2023:1045", "cpe": "cpe:/a:redhat:red_hat_single_sign_on:7.6::el9", "package": "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso", "product_name": "Red Hat Single Sign-On 7.6 for RHEL 9", "release_date": "2023-03-01T00:00:00Z"}, {"advisory": "RHSA-2023:0074", "cpe": "cpe:/o:redhat:rhev_hypervisor:4.4::el8", "package": "vdsm-0:4.50.3.6-1.el8ev", "product_name": "Red Hat Virtualization 4 for Red Hat Enterprise Linux 8", "release_date": "2023-01-11T00:00:00Z"}, {"advisory": "RHSA-2023:0074", "cpe": "cpe:/a:redhat:rhev_manager:4.4:el8", "package": "apache-sshd-1:2.9.2-0.1.el8ev", "product_name": "Red Hat Virtualization Engine 4.4", "release_date": "2023-01-11T00:00:00Z"}, {"advisory": "RHSA-2023:1047", "cpe": "cpe:/a:redhat:rhosemc:1.0::el8", "package": "rh-sso-7/sso76-openshift-rhel8:7.6-20", "product_name": "RHEL-8 based Middleware Containers", "release_date": "2023-03-01T00:00:00Z"}, {"advisory": "RHSA-2023:3641", "cpe": "cpe:/a:redhat:camel_spring_boot:3.18", "product_name": "RHINT Camel-Springboot 3.18.3.P2", "release_date": "2023-06-15T00:00:00Z"}, {"advisory": "RHSA-2023:4983", "cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13", "package": "mina-sshd", "product_name": "RHPAM 7.13.4 async", "release_date": "2023-09-05T00:00:00Z"}], "bugzilla": {"description": "mina-sshd: Java unsafe deserialization vulnerability", "id": "2145194", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2145194"}, "csaw": false, "cvss3": {"cvss3_base_score": "9.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-502", "details": ["Class org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider in Apache MINA SSHD <= 2.9.1 uses Java deserialization to load a serialized java.security.PrivateKey. The class is one of several implementations that an implementor using Apache MINA SSHD can choose for loading the host keys of an SSH server.", "A flaw was found in Apache MINA SSHD, when using Java deserialization to load a serialized java.security.PrivateKey. An attacker could benefit from unsafe deserialization by inserting unsecured data that may affect the application or server."], "mitigation": {"lang": "en:us", "value": "From the maintainer:\nFor Apache MINA SSHD <= 2.9.1, do not use org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to generate and later load your server's host key. Use separately generated host key files, for instance in OpenSSH format, and load them via a org.apache.sshd.common.keyprovider.FileKeyPairProvider instead. Or use a custom implementation instead of \nSimpleGeneratorHostKeyProvider that uses the OpenSSH format for storing and loading the host key (via classes OpenSSHKeyPairResourceWriter and OpenSSHKeyPairResourceParser)."}, "name": "CVE-2022-45047", "package_state": [{"cpe": "cpe:/a:redhat:migration_toolkit_applications:6", "fix_state": "Affected", "package_name": "mina-sshd", "product_name": "Migration Toolkit for Applications 6"}, {"cpe": "cpe:/a:redhat:migration_toolkit_runtimes:1", "fix_state": "Affected", "package_name": "mina-sshd", "product_name": "Migration Toolkit for Runtimes"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:3", "fix_state": "Not affected", "package_name": "sshd-common", "product_name": "Red Hat build of Apache Camel for Spring Boot"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Not affected", "package_name": "sshd-common", "product_name": "Red Hat Integration Camel K"}, {"cpe": "cpe:/a:redhat:camel_quarkus:2", "fix_state": "Affected", "package_name": "sshd-common", "product_name": "Red Hat Integration Camel Quarkus"}, {"cpe": "cpe:/a:redhat:amq_broker:7", "fix_state": "Not affected", "package_name": "sshd-common", "product_name": "Red Hat JBoss A-MQ 7"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:7", "fix_state": "Out of support scope", "package_name": "mina-sshd", "product_name": "Red Hat JBoss Data Grid 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6", "fix_state": "Out of support scope", "package_name": "keycloak-adapter-sso7_5-eap6", "product_name": "Red Hat JBoss Enterprise Application Platform 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6", "fix_state": "Out of support scope", "package_name": "mina-sshd", "product_name": "Red Hat JBoss Enterprise Application Platform 6"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "sshd-common", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jboss_fuse:6", "fix_state": "Out of support scope", "package_name": "mina-sshd", "product_name": "Red Hat JBoss Fuse 6"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Affected", "impact": "moderate", "package_name": "sshd-common", "product_name": "Red Hat JBoss Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_fuse_service_works:6", "fix_state": "Out of support scope", "package_name": "mina-sshd", "product_name": "Red Hat JBoss Fuse Service Works 6"}, {"cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "fix_state": "Not affected", "package_name": "mina-sshd", "product_name": "Red Hat OpenShift Application Runtimes"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Affected", "package_name": "jenkins-2-plugins", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openstack:13", "fix_state": "Affected", "package_name": "opendaylight", "product_name": "Red Hat OpenStack Platform 13 (Queens)"}], "public_date": "2022-11-16T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-45047\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-45047\nhttps://www.mail-archive.com/dev@mina.apache.org/msg39312.html"], "statement": "Red Hat Impact as High as there's a mitigation for minimizing the impact which the flaw requires org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to be impacted, which would require an external/public API for an attacker to benefit from it. \nRed Hat Fuse 7 and Red Hat JBoss Enterprise Application Platform 7 have a lower rate (moderate) as it's very unlikely to be exploited since those are for internal usage or use a custom implementation in their case.", "threat_severity": "Important", "upstream_fix": "sshd 2.9.2"}