Improper Validation of Integrity Check Value
CVE-2024-41909
Summary
Like many other SSH implementations, Apache MINA SSHD suffered from the issue that is more widely known as CVE-2023-48795. An attacker that can intercept traffic between client and server could drop certain packets from the stream, potentially causing client and server to consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. The mitigation to prevent this type of attack was implemented in Apache MINA SSHD, both client and server side. This issue affects org.apache.sshd:sshd-core package versions prior to 2.12.0. Users are recommended to upgrade to a fixed version. Note that both the client and the server implementation must have mitigation applied against this issue, otherwise the connection may still be affected.
- HIGH
- NETWORK
- HIGH
- UNCHANGED
- NONE
- NONE
- NONE
- NONE
CWE-354 - Improper Validation of Integrity Check Value
The software does not validate or incorrectly validates the integrity check values or "checksums" of a message. This may prevent it from detecting if the data has been modified or corrupted in transmission.
References
Advisory Timeline
- Published