A vulnerability in sshd-core of Apache Mina SSHD allows an attacker to overflow the server causing an OutOfMemory error. This issue affects the SFTP and port forwarding features of Apache Mina SSHD version 2.0.0 and later versions. It was addressed in Apache Mina SSHD 2.7.0 References: https://lists.apache.org/thread.html/r6d4f78e192a0c8eabd671a018da464024642980ecd24096bde6db36f%40%3Cusers.mina.apache.org%3E https://lists.apache.org/thread.html/r6d4f78e192a0c8eabd671a018da464024642980ecd24096bde6db36f@%3Cusers.mina.apache.org%3E
Upstream Fix: https://github.com/apache/mina-sshd/pull/181/commits/5b5bd1dcfa0c2fc250e079e1ebcd643b51f735eb https://github.com/apache/mina-sshd/pull/181/commits/f9b2f236e6a663011b50bd7e9a41ec90e6b94831 Upstream Issue: https://github.com/apache/mina-sshd/pull/181
This vulnerability is out of security support scope for the following products: * Red Hat JBoss A-MQ 6 * Red Hat JBoss Fuse 6 * Red Hat JBoss BRMS 5 * Red Hat JBoss BPMS 6 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Marking Red Hat Integration Camel-K and Camel Quarkus as having a low impact, this is because although both products ship artifacts in the vulnerable range, Mina SSH is used by camel-ssh in the context as a client and not a server, only the ssh server is vulnerable to the DoS.
A word on scoring, our scoring is currently 6.5/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H and NVD of 7.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H will change to 6.5/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Exploitability Metrics: Attack Vector Network (AV:N) Agree here, mina sshd and the affected sftp and port forwarding features are bound to the network stack, mina sshd can and frequently is a internet facing service, mina operates both as a ssh client and server, it is only the server functionality that is affected by the high impact upon availability. Attack Complexity Low (AC:L) Agree here, there are no specialized access conditions or extenuating circumstances other than the component configuration itself, that is to say although the end-application must be using the sftp or port forwarding features of the mina sshd service this should be considered as configuration. Privileges Required None (PR:N) -> Privileges Required Low (PR:L) We disagree with the original scoring of PR:N because an authenticated user session must be present in order to exploit the flaw, in other words the attacker requires privileges that provide basic user capabilities. User Interaction None (UI:N) Agree here, the vulnerable system can be exploited without interaction from any user Scope Unchanged (S:U) Agree here, the attacker will not be able to escape the scope of the executing JVM solely due to this flaw Impact Metrics: Confidentiality None (C:N) Agree here, this flaws principle impact is to availability, an attacker is unable to divulge any restricted information Integrity None (I:N) Agree here, there is no impact upon integrity, an attacker using this flaw would be unable to modify data. Availability High (A:H) Agree here, this flaw can result in the total loss of availability of the mina sshd service through memory exhaustion, this may also result in the termination of the end-application but this depends on end-application handling of the out of memory condition.
This issue has been addressed in the following products: EAP 7.4.2 release Via RHSA-2021:4679 https://access.redhat.com/errata/RHSA-2021:4679
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 Via RHSA-2021:4676 https://access.redhat.com/errata/RHSA-2021:4676
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 Via RHSA-2021:4677 https://access.redhat.com/errata/RHSA-2021:4677
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-30129
This issue has been addressed in the following products: Red Hat Fuse 7.10 Via RHSA-2021:5134 https://access.redhat.com/errata/RHSA-2021:5134
This issue has been addressed in the following products: RHINT Camel-Q 2.2.1 Via RHSA-2022:1013 https://access.redhat.com/errata/RHSA-2022:1013
This issue has been addressed in the following products: RHPAM 7.13.4 async Via RHSA-2023:4983 https://access.redhat.com/errata/RHSA-2023:4983