CVE-2022-45047: Apache MINA SSHD unsafe deserialization vulnerability
Recently, Apache MINA fixed an unsafe deserialization vulnerability. The bug exists in the class org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider, an attacker could exploit this vulnerability to deserialize and thus achieve remote code execution. Track as CVE-2022-45047, the flaw severity is important.
Apache MINA SSHD is a 100% pure java library to support the SSH protocols on both the client and server sides. It does not aim at being a replacement for the SSH client or SSH server from Unix operating systems, but rather provides support for Java-based applications requiring SSH support.
“Class org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider in Apache MINA SSHD <= 2.9.1 uses Java
deserialization to load a serialized java.security.PrivateKey. The class is one of several implementations that an
implementor using Apache MINA SSHD can choose for loading the host keys of an SSH server,” reads the mailing list.
Unsafe deserialization is when user-controllable data is deserialized by a website. This potentially enables an attacker to manipulate serialized objects in order to pass harmful data into the application code. It allows an attacker to reuse existing application code in harmful ways, resulting in numerous other vulnerabilities, often remote code execution.[1]
Security researcher Zhang Zewei, NOFOCUS has been credited with reporting the CVE-2022-45047 flaw.
At present, Apache MINA SSHD has fixed the vulnerability in the latest version (2.9.2). Users are advised to install please the safe version as soon as possible or use the migration method as below:
“For Apache MINA SSHD <= 2.9.1, do not use org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider to generate and later load your server’s host key. Use separately generated host key files, for instance in OpenSSH format, and load them via a org.apache.sshd.common.keyprovider.FileKeyPairProvider instead. Or use a custom implementation instead of SimpleGeneratorHostKeyProvider that uses the OpenSSH format for storing and loading the host key (via classes OpenSSHKeyPairResourceWriter and OpenSSHKeyPairResourceParser).”
