Upstream Fix: 
https://github.com/apache/mina-sshd/pull/181/commits/5b5bd1dcfa0c2fc250e079e1ebcd643b51f735eb
https://github.com/apache/mina-sshd/pull/181/commits/f9b2f236e6a663011b50bd7e9a41ec90e6b94831


Upstream Issue: https://github.com/apache/mina-sshd/pull/181

This vulnerability is out of security support scope for the following products:

 * Red Hat JBoss A-MQ 6
 * Red Hat JBoss Fuse 6
 * Red Hat JBoss BRMS 5
 * Red Hat JBoss BPMS 6

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.

Marking Red Hat Integration Camel-K and Camel Quarkus as having a low impact, this is because although both products ship artifacts in the vulnerable range, Mina SSH is used by camel-ssh in the context as a client and not a server, only the ssh server is vulnerable to the DoS.

A word on scoring, our scoring is currently 6.5/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H and NVD of 7.5/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H will change to 6.5/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Exploitability Metrics:

Attack Vector Network (AV:N) 
Agree here, mina sshd and the affected sftp and port forwarding features are bound to the network stack, mina sshd can and frequently is a internet facing service, mina operates both as a ssh client and server, it is only the server functionality that is affected by the high impact upon availability.

Attack Complexity Low (AC:L)
Agree here, there are no specialized access conditions or extenuating circumstances other than the component configuration itself, that is to say although the end-application must be using the sftp or port forwarding features of the mina sshd service this should be considered as configuration.

Privileges Required None (PR:N) -> Privileges Required Low (PR:L) 
We disagree with the original scoring of PR:N because an authenticated user session must be present in order to exploit the flaw, in other words the attacker requires privileges that provide basic user capabilities. 

User Interaction None (UI:N)
Agree here, the vulnerable system can be exploited without interaction from any user

Scope Unchanged (S:U)
Agree here, the attacker will not be able to escape the scope of the executing JVM solely due to this flaw
 
Impact Metrics:

Confidentiality None (C:N)
Agree here, this flaws principle impact is to availability, an attacker is unable to divulge any restricted information

Integrity None (I:N)
Agree here, there is no impact upon integrity, an attacker using this flaw would be unable to modify data.

Availability High (A:H)
Agree here, this flaw can result in the total loss of availability of the mina sshd service through memory exhaustion, this may also result in the termination of the end-application but this depends on end-application handling of the out of memory condition.

This issue has been addressed in the following products:

  EAP 7.4.2 release

Via RHSA-2021:4679 https://access.redhat.com/errata/RHSA-2021:4679

This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7

Via RHSA-2021:4676 https://access.redhat.com/errata/RHSA-2021:4676

This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8

Via RHSA-2021:4677 https://access.redhat.com/errata/RHSA-2021:4677

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-30129

This issue has been addressed in the following products:

  Red Hat Fuse 7.10

Via RHSA-2021:5134 https://access.redhat.com/errata/RHSA-2021:5134

This issue has been addressed in the following products:

  RHINT Camel-Q 2.2.1

Via RHSA-2022:1013 https://access.redhat.com/errata/RHSA-2022:1013

This issue has been addressed in the following products:

  RHPAM 7.13.4 async

Via RHSA-2023:4983 https://access.redhat.com/errata/RHSA-2023:4983