| Re: [jgit-dev] Vulnerability CVE-2023-48795 |
On 02.01.24 15:12 , Malyshkin, Denis via jgit-dev wrote:
There is a new vulnerability -- https://nvd.nist.gov/vuln/detail/CVE-2023-48795 <https://nvd.nist.gov/vuln/detail/CVE-2023-48795> According to the list of the affected libraries, the "Apache MINA sshd through 2.11.0" library is also affected.Does this vulnerability affect JGit and/or JGit users somehow?
Not directly; but it does of course affect SSH connections.
If yes, do you have plans to update the Apache Mina library? Do you have a ticket for this?
Once upstream will have released a new version incorporating the fix, we will update our dependencies to require at least that version. No, we don't yet have a ticket for this. We will when we're ready do this.
The corresponding Apache Mina ticket is still in progress yet -- https://github.com/apache/mina-sshd/issues/445 <https://github.com/apache/mina-sshd/issues/445>
In the meantime the Terrapin discoverers have given some possible mitigation steps. Or you might use an external SSH executable. Also take note of what OpenSSH has to say about this attack in its release notes[1]. The security impact appears to be rather limited. Note that "keystroke timing obfuscation" is not implemented in Apache MINA sshd at all, and typically is of no concern for git-over-ssh. Cheers, Thomas [1] https://www.openssh.com/releasenotes.html