Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-70554

CVE-2022-45047 MINA SSHD - Please update Mina SSHD API :: Common

    • 2.390 2.387.1

      We are getting the following vulnerability report from newly built Jenkins servers using the latest weekly build (2.389) :

      CVE-2022-45047 MINA SSHD

      We think its related to the following:

      /usr/share/java/jenkins.war/WEB-INF/detached-plugins/mina-sshd-api-common.hpi/WEB-INF/lib/sshd-common-2.9.1.jar

      {}The vulnerability is fixed in version 2.9.2

      Can someone update this plugin within the next weekly build ? as this is blocking us from deploying Jenkins in our environment.  

          [JENKINS-70554] CVE-2022-45047 MINA SSHD - Please update Mina SSHD API :: Common

          Mark Waite added a comment - - edited

          The Mina SSHD API :: Common plugin page notes that 2.9.2-50.va_0e1f42659a_a was released Nov 16, 2022 and includes Apache Mina 2.9.2. Upgrade the plugin in your installation to that version and Jenkins will use that version, even if the 2.9.1 version is in the detached-plugins folder.

          The only reference that I found in Jenkins core to the Apache Mina sshd library version is in the Jenkins command line interface. It was updated to 2.9.2 on Nov 16, 2022 as well. That update was included in Jenkins 2.379 and later. That update will be available in the Jenkins 2.387.1 LTS release. It has not been backported to Jenkins 2.375.2 or earlier.

          The location that you mentioned, /usr/share/java/jenkins.war/WEB-INF is not a location where Jenkins or the operating system typically writes the contents of a war file. The Apache mina sshd API commons plugin is not a detached plugin from Jenkins as far as I can tell. I'm not sure what might be generating that set of files, but I don't think that it is coming from any Jenkins release that I recognize.

          See my next comment for the correction of the mistakes I made in this comment. The 2.9.1 plugin versions are bundled in Jenkins 2.389. The 2.9.2 versions are the ones that are offered for installation. However, we don't want to be distracted by security scanners if we can avoid it.

          Mark Waite added a comment - - edited The Mina SSHD API :: Common plugin page notes that 2.9.2-50.va_0e1f42659a_a was released Nov 16, 2022 and includes Apache Mina 2.9.2. Upgrade the plugin in your installation to that version and Jenkins will use that version, even if the 2.9.1 version is in the detached-plugins folder. The only reference that I found in Jenkins core to the Apache Mina sshd library version is in the Jenkins command line interface. It was updated to 2.9.2 on Nov 16, 2022 as well. That update was included in Jenkins 2.379 and later. That update will be available in the Jenkins 2.387.1 LTS release. It has not been backported to Jenkins 2.375.2 or earlier. The location that you mentioned, /usr/share/java/jenkins.war/WEB-INF is not a location where Jenkins or the operating system typically writes the contents of a war file. The Apache mina sshd API commons plugin is not a detached plugin from Jenkins as far as I can tell. I'm not sure what might be generating that set of files, but I don't think that it is coming from any Jenkins release that I recognize. See my next comment for the correction of the mistakes I made in this comment. The 2.9.1 plugin versions are bundled in Jenkins 2.389. The 2.9.2 versions are the ones that are offered for installation. However, we don't want to be distracted by security scanners if we can avoid it.

          Mark Waite added a comment -

          My mistake. I just checked the jenkins.war file for 2.389 and it does include min-sshd 2.9.1 as a detached plugin. Upgrade the plugin during the installation of Jenkins and the upgraded version will be used. I'll need to investigate further to see why that plugin version is being included even though the CLI dependency was updated to 2.9.2 in Jenkins 2.379.

          Thanks for the report!

          Mark Waite added a comment - My mistake. I just checked the jenkins.war file for 2.389 and it does include min-sshd 2.9.1 as a detached plugin. Upgrade the plugin during the installation of Jenkins and the upgraded version will be used. I'll need to investigate further to see why that plugin version is being included even though the CLI dependency was updated to 2.9.2 in Jenkins 2.379. Thanks for the report!

          Mark Waite added a comment -

          Backported to Jenkins 2.387.1 as part of PR-7650

          Mark Waite added a comment - Backported to Jenkins 2.387.1 as part of PR-7650

            markewaite Mark Waite
            fitzwar Andrew
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: