Apache SSHD vulnerability CVE-2022-45047
search cancel

Apache SSHD vulnerability CVE-2022-45047

book

Article ID: 269923

calendar_today

Updated On:

Products

CA Automic Applications Manager (AM)

Issue/Introduction

Applications Manager's sshdserver process is an option process that is introduced in version 9.4.0, and is an extra process that runs on the Remote Agent server. 

More information can be found and the following documentation links:

Disaster Recovery
SSH Server

The sshdserver process uses 2 new jars that is located in the classes directory; sshd-core-2.7.0.jar and sshd-common-2.7.0.jar

These 2 jar files have been found to be vulnerable under CVE-2022-45047. More information about the vulnerability can be found at the link below:

https://nvd.nist.gov/vuln/detail/CVE-2022-45047

Environment

Release : 9.4.x

Cause

Defect

Resolution

As Applications Manager is coded for specific jar versions, the sshd-core-2.7.0.jar and/or sshd-common-2.7.0.jar files can not be changed. 

A permanent fix is included in Applications Manager version 9.5 that uses v.2.9.2 of the jar files, which currently has a August 2023 release date (date may change).

Workaround:

As the sshdserver process is an optional process. The below steps can be taken to avoid starting and using the sshdserver process.

1. On Remote Agents, instead of using a "startso all" command that starts the Agentservice process and the sshdserver process, use a "startso agentservice" to start only the AgentSevice process with starting the sshdserver process. 

2. If needed, you can backup, rename, or delete the sshd-core-2.7.0.jar and sshd-common-2.7.0.jar files (I recommend having a at least a backup just in case it is neeed, but from my test it should not be needed)