Bugzilla – Bug 1205463
VUL-0: CVE-2022-45047: apache-sshd: Java unsafe deserialization vulnerability
Last modified: 2024-03-05 11:45:33 UTC
CVE-2022-45047 Posted by Thomas Wolf on Nov 15Severity: important Description: Class org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider in Apache MINA SSHD <= 2.9.1 uses Java deserialization to load a serialized java.security.PrivateKey. The class is one of several implementations that an implementor using Apache MINA SSHD can choose for loading the host keys of an SSH server. Mitigation: For Apache MINA SSHD <= 2.9.1, do not use org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to generate and later load your server's host key. Use separately generated host key files, for instance in OpenSSH format, and load them via a org.apache.sshd.common.keyprovider.FileKeyPairProvider instead. Or use a custom implementation instead of SimpleGeneratorHostKeyProvider that uses the OpenSSH format for storing and loading the host key (via classes OpenSSHKeyPairResourceWriter and OpenSSHKeyPairResourceParser). The issue was fixed in Apache MINA SSHD 2.9.2. Credit: The Apache MINA SSHD team would like to thank Zhang Zewei, NOFOCUS, for reporting this issue. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-45047 https://seclists.org/oss-sec/2022/q4/148
This is an autogenerated message for OBS integration: This bug (1205463) was mentioned in https://build.opensuse.org/request/show/1036214 Factory / apache-sshd
SUSE-SU-2024:0224-1: An update that solves two vulnerabilities can now be installed. Category: security (important) Bug References: 1205463, 1218189 CVE References: CVE-2022-45047, CVE-2023-48795 Sources used: openSUSE Leap 15.5 (src): apache-parent-31-150200.3.12.1, apache-sshd-2.12.0-150200.5.8.1 Development Tools Module 15-SP5 (src): apache-sshd-2.12.0-150200.5.8.1 SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): apache-sshd-2.12.0-150200.5.8.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): apache-sshd-2.12.0-150200.5.8.1 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src): apache-sshd-2.12.0-150200.5.8.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src): apache-sshd-2.12.0-150200.5.8.1 SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src): apache-sshd-2.12.0-150200.5.8.1 SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): apache-sshd-2.12.0-150200.5.8.1 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): apache-sshd-2.12.0-150200.5.8.1 SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src): apache-sshd-2.12.0-150200.5.8.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): apache-sshd-2.12.0-150200.5.8.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): apache-sshd-2.12.0-150200.5.8.1 SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src): apache-sshd-2.12.0-150200.5.8.1 SUSE Enterprise Storage 7.1 (src): apache-sshd-2.12.0-150200.5.8.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Fixed, reassigning to security to close.