CVE-2022-45047: 
Java vulnerability analysis and mitigation

Apache MINA SSHD version 2.9.1 and earlier contains a Java deserialization vulnerability identified as CVE-2022-45047. The vulnerability exists in the class org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider, which uses Java deserialization to load serialized java.security.PrivateKey. This class serves as one of several implementations that developers can choose for loading SSH server host keys (Apache Mailing List).

The vulnerability specifically affects the SimpleGeneratorHostKeyProvider class in Apache MINA SSHD versions through 2.9.1. The issue stems from unsafe Java deserialization practices when loading private key data. According to the NetApp security advisory, this vulnerability has received a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NetApp Advisory).

Successful exploitation of this vulnerability could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS). Given the critical CVSS score, the potential impact on affected systems is severe (NetApp Advisory).

For Apache MINA SSHD versions 2.9.1 and earlier, users should avoid using org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider for generating and loading server host keys. Instead, it is recommended to use separately generated host key files in OpenSSH format and load them via org.apache.sshd.common.keyprovider.FileKeyPairProvider. Alternatively, users can implement a custom solution using OpenSSHKeyPairResourceWriter and OpenSSHKeyPairResourceParser classes. The vulnerability has been fixed in Apache MINA SSHD version 2.9.2 (Apache Mailing List).