Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Deserialization of Untrusted Data vulnerability in org.apache.sshd:sshd-common

See original GitHub issue

Package Manager: maven
Vulnerable module: org.apache.sshd:sshd-common
Introduced through: org.keycloak:keycloak-quarkus-server-app@999-SNAPSHOT, org.keycloak:keycloak-quarkus-server@999-SNAPSHOT and others

Detailed paths

Introduced through: org.keycloak:keycloak-quarkus-server-app@999-SNAPSHOT › org.keycloak:keycloak-quarkus-server@999-SNAPSHOT › org.wildfly.security:wildfly-elytron@1.18.3.Final › org.wildfly.security:wildfly-elytron-auth-util@1.18.3.Final › org.apache.sshd:sshd-common@2.7.0

Overview

Affected versions of this package are vulnerable to Deserialization of Untrusted Data via org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider.

Details

Serialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like Remote Method Invocation (RMI), Java Management Extension (JMX), Java Messaging System (JMS), Action Message Format (AMF), Java Server Faces (JSF) ViewState, etc.

Deserialization of untrusted data (CWE-502) is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, thus allowing the attacker to control the state or the flow of the execution.

Remediation

A fix was pushed into the master branch but not yet published.

References

Issue Analytics

State:
Created 10 months ago
Comments:6 (5 by maintainers)

Top GitHub Comments

1reaction

edwint88commented, Dec 5, 2022

Hi, I saw that, but I mean for what features is this used exactly? (org.apache.sshd:sshd-common@2.7.0) because when I’m searching in github the lib, I find just some tests that it using it

1reaction

abstractjcommented, Dec 5, 2022

@edwint88 it is part of the issue description, please check the “Detailed paths” section.

Top Results From Across the Web

Deserialization of untrusted data - OWASP Foundation

The following is an example from Adobe's BlazeDS AMF deserialization vulnerability (CVE-2011-2092). You can specify arbitrary classes and properties for a ...

org.apache.sshd:sshd-common - Snyk Vulnerability Database

version published direct vulnerabilities 2.9.2 9 Nov, 2022 0. C. 0. H. 0. M. 0. L 2.9.1 22 Aug, 2022 0. C. 1. H. 0....

CWE-502: Deserialization of Untrusted Data (4.9) - MITRE

The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid. ... It is often convenient to serialize objects ......

Insecure deserialization | Web Security Academy - PortSwigger

In this section, we'll cover what insecure deserialization is and describe how it can potentially expose websites to high-severity attacks.

Deserialization Of Untrusted Data Vulnerability in the ActiveMQ

ActiveMQ :: Client (org.apache.activemq, activemq-client) and ActiveMQ :: All JAR bundle (org.apache.activemq, activemq-all). Apache ActiveMQ allows for ...