Hi Christopher, First, sorry for the late answer
Apache MINA SSHD is a library providing SSH support in Java. It's more likely that one of the Java applications running on your server is using a version of this library that is subject to this CVE. FTR, an Apache MINA SSHd release (2.9.2) has been issued that fix this specific CVE.
I suggest you check what Java application is running on your servers, and that you check either with your internal developers or with your software vendors to get to know which software is embedding Apache MINA SSHd.
It may be complex because it may be a third party dependency (ie a lib that is used by a lib (and you can iterate) that is used by an application...)
I hope you'll find the root cause if this issue... On 23/06/2023 18:53, MCCOY, CHRISTOPHER wrote:
Hello. Recently inside my organization some of my group's servers have been flagged with a vulnerability regarding Apache MINA. Here is a clip from the email that was brought to our attention: CVE-2022-45047 Summary: Class org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider in Apache MINA SSHD <= 2.9.1 uses Java deserialization to load a serialized java.security.PrivateKey. The class is one of several implementations that an implementor using Apache MINA SSHD can choose for loading the host keys of an SSH server. CVSS Score: 0 CVSS V3 Score: 9.8 CWE ID: CWE-502 Vulnerable Packages: cpe:2.3:a:apache:sshd:*:*:*:*:*:*:*:* Published: November 16, 2022 Last Modified: November 18, 2022 References: https://www.mail-archive.com/dev@mina.apache.org/msg39312.html I am unaware of specifically what Apache MINA is, or how it relates to any project or service that currently runs on our servers. I would like to identify where this service is on our servers so that it can either be removed (if not used) or updated so that we are no longer flagged for this vulnerability. Could someone please explain to me how I can locate this application or service on our MS Azure server, and possibly identify if it is something that we actually need, and how it can be removed or updated? Thanks! -- Christopher McCoy
-- *Emmanuel Lécharny - CTO* 205 Promenade des Anglais – 06200 NICE T. +33 (0)4 89 97 36 50 P. +33 (0)6 08 33 32 61 emmanuel.lecha...@busit.com https://www.busit.com/ --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@mina.apache.org For additional commands, e-mail: users-h...@mina.apache.org
