-
Bug
-
Resolution: Fixed
-
Major
-
None
-
-
2.390 2.387.1
We are getting the following vulnerability report from newly built Jenkins servers using the latest weekly build (2.389) :
CVE-2022-45047 MINA SSHD
We think its related to the following:
/usr/share/java/jenkins.war/WEB-INF/detached-plugins/mina-sshd-api-common.hpi/WEB-INF/lib/sshd-common-2.9.1.jar
{}The vulnerability is fixed in version 2.9.2
Can someone update this plugin within the next weekly build ? as this is blocking us from deploying Jenkins in our environment.
- is related to
-
JENKINS-70571 Update bundled Apache Mina-sshd plugins from 2.9.1 to 2.9.2
-
- Closed
-
- links to
The Mina SSHD API :: Common plugin page notes that 2.9.2-50.va_0e1f42659a_a was released Nov 16, 2022 and includes Apache Mina 2.9.2. Upgrade the plugin in your installation to that version and Jenkins will use that version, even if the 2.9.1 version is in the detached-plugins folder.
The only reference that I found in Jenkins core to the Apache Mina sshd library version is in the Jenkins command line interface. It was updated to 2.9.2 on Nov 16, 2022 as well. That update was included in Jenkins 2.379 and later. That update will be available in the Jenkins 2.387.1 LTS release. It has not been backported to Jenkins 2.375.2 or earlier.
The location that you mentioned, /usr/share/java/jenkins.war/WEB-INF is not a location where Jenkins or the operating system typically writes the contents of a war file. The Apache mina sshd API commons plugin is not a detached plugin from Jenkins as far as I can tell. I'm not sure what might be generating that set of files, but I don't think that it is coming from any Jenkins release that I recognize.
See my next comment for the correction of the mistakes I made in this comment. The 2.9.1 plugin versions are bundled in Jenkins 2.389. The 2.9.2 versions are the ones that are offered for installation. However, we don't want to be distracted by security scanners if we can avoid it.