CVE-2024-41909: 
Java vulnerability analysis and mitigation

Apache MINA SSHD versions through 2.11.0 are affected by a vulnerability similar to the Terrapin attack (CVE-2023-48795). This vulnerability allows an attacker who can intercept traffic between client and server to drop certain packets from the stream, potentially causing client and server to end up with a connection where security features have been downgraded or disabled (NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 5.9 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N. This indicates that the vulnerability requires network access, has high attack complexity, requires no privileges or user interaction, and can lead to high impact on integrity without affecting confidentiality or availability (NVD).

Successful exploitation of this vulnerability could lead to the addition or modification of data in transit between client and server. The attack potentially allows security features to be downgraded or disabled during SSH connections (NetApp Security).

The vulnerability has been fixed in Apache MINA SSHD version 2.12.0. Both client and server implementations must be updated to this version or later to fully mitigate the vulnerability. It's important to note that both the client and the server implementation must have mitigations applied, otherwise the connection may still be affected (NVD).

The vulnerability has gained attention in the security community, with various organizations including Red Hat and NetApp issuing advisories about the impact on their products. There are ongoing discussions about implementing the 'strict-KEX' extension as a mitigation measure (GitHub Issue).