upgrading sshd-core to version 2.9.2
167 views
Skip to first unread message
Anoop Chitreddy
Jan 29, 2023, 8:45:28 PM1/29/23
to WildFly
Hi,
We are currently using wildfly-26.1.2.Final built using wildfly feature pack. Recently we received a warning from our dependency check tool indicating that sshd-core-2.7.0.jar is triggering a CRITICAL severity CVE https://nvd.nist.gov/vuln/detail/CVE-2022-45047
We would be safe to upgrade sshd-core to version 2.9.2. I am asking this question because the module file for sshd-core in wildfly is marking it as a private dependency
------------------------------------------------------------------------------------------------------------------------
<module name="org.apache.sshd" xmlns="urn:jboss:module:1.9">
<properties>
<property name="jboss.api" value="private"/>
</properties>
<resources>
<resource-root path="sshd-common-2.7.0.jar"/>
<resource-root path="sshd-core-2.7.0.jar"/>
</resources>
<dependencies>
<module name="org.bouncycastle.bcpg"/>
<module name="org.bouncycastle.bcpkix"/>
<module name="org.bouncycastle.bcprov"/>
<module name="org.slf4j"/>
<module name="org.slf4j.impl"/>
<module name="java.logging"/>
<module name="java.rmi"/>
<module name="java.management"/>
</dependencies>
</module>
------------------------------------------------------------------------------------------------------------------------ <properties>
<property name="jboss.api" value="private"/>
</properties>
<resources>
<resource-root path="sshd-common-2.7.0.jar"/>
<resource-root path="sshd-core-2.7.0.jar"/>
</resources>
<dependencies>
<module name="org.bouncycastle.bcpg"/>
<module name="org.bouncycastle.bcpkix"/>
<module name="org.bouncycastle.bcprov"/>
<module name="org.slf4j"/>
<module name="org.slf4j.impl"/>
<module name="java.logging"/>
<module name="java.rmi"/>
<module name="java.management"/>
</dependencies>
</module>
Appreciate your help.
Anoop
Anoop
Yeray Borges Santana
Feb 13, 2023, 5:03:23 AM2/13/23
to WildFly
Hello Anoop,
WildFly wildfly-26.1.2.Final is not affected by this CVE since the affected class is not used by the WildFly code or any dependency used in the server.
You can find more information about the affected class here: https://www.mail-archive.com/d...@mina.apache.org/msg39312.html
And in addition, as an additional reference: https://issues.redhat.com/browse/WFCORE-6132
The fact that this module is marked as private is solely to advertise the users they should not use this dependency directly in their deployments since its version may be changed or removed in future server versions without notice.
Hope that helps you deal with this CVE, feel free to share your feedback.
Regards,
Yeray
--
You received this message because you are subscribed to the Google Groups "WildFly" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wildfly+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wildfly/21f4a50e-41d1-4605-8ebc-429c6f46c9dbn%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages