If you’re running an SSH server using Apache MINA SSHD—especially anything up to version 2.9.1—you need to know about a serious vulnerability named CVE-2022-45047. This long read breaks down what happened, why it's dangerous, and how attackers can take advantage of insecure Java deserialization built into MINA SSHD's host key provider.
What’s Apache MINA SSHD?
Apache MINA SSHD is a flexible Java-based library that lets you add SSH server functionality to your applications. Many Java projects use it to add SSH features fast, without writing cryptography code themselves.
A typical use is for embedded devices or management panels needing SSH support. Out of the box, MINA SSHD offers several ways to manage your server’s host keys. One way—convenient, but sadly flawed until recently—is the SimpleGeneratorHostKeyProvider class.
The Vulnerable Class: SimpleGeneratorHostKeyProvider
The SimpleGeneratorHostKeyProvider helps the SSH server load and save its private keys (the keys that identify the SSH server). Notably, in versions up to 2.9.1, this class could deserialize Java objects directly from disk like this:
Vulnerable code snippet (simplified)
// Inside SimpleGeneratorHostKeyProvider
private KeyPair doReadKeyPair(File file) throws IOException, GeneralSecurityException, ClassNotFoundException {
try (ObjectInputStream ois = new ObjectInputStream(new FileInputStream(file))) {
PrivateKey privateKey = (PrivateKey) ois.readObject();
// ...snip...
}
}
If a file hostkey.ser (or other configured file) exists, SimpleGeneratorHostKeyProvider reads it using ObjectInputStream, a standard Java way to reconstruct serialized objects. The problem: no security checks.
Why Is Java Deserialization Dangerous?
To put it simply: when Java applications deserialize objects, arbitrary code can be executed if the input is controlled by an attacker and vulnerable gadget chains are present in the classpath. This is considered one of the most risky behaviors in Java security.
Many critical vulnerabilities (like those in Jenkins, JBoss, or even game servers) boiled down to insecure object deserialization via ObjectInputStream.
To exploit this bug, an attacker would
1. Write a malicious serialized object containing a gadget chain (such as those found in common Java libraries).
2. Replace the SSH private key file (for example, hostkey.ser) on the server with this malicious file.
Trigger code execution when the server reads and deserializes the malicious object on startup.
It’s common that attackers need to chain this with another vulnerability, such as a path traversal or arbitrary file write flaw, but sometimes poor file permissions or deployment errors make the serialized file world-writable by accident.
Demonstration: A Minimal Exploit
*Warning: This is for educational use on non-production, permission-granted test environments only!*
Suppose gadgets are present (such as from commons-collections). Here’s how an attacker could craft a malicious .ser file:
// Using ysoserial to generate a payload
// https://github.com/frohoff/ysoserial
ProcessBuilder pb = new ProcessBuilder("java", "-jar", "ysoserial.jar", "CommonsCollections5", "touch /tmp/hacked");
pb.redirectOutput(new File("hostkey.ser"));
pb.start().waitFor();
Then, the attacker replaces the server’s SSH key file with this hostkey.ser. When the MINA SSHD process restarts and loads this file, it triggers the payload—running touch /tmp/hacked.
Any application embedding Apache MINA SSHD ≤ 2.9.1
- Applications using the SimpleGeneratorHostKeyProvider, especially with default file paths or weak permissions
How Was This Fixed?
Starting from version 2.9.2, Apache MINA SSHD removed this dangerous deserialization behavior. Now, keys are stored using a safer encoding (like PEM), and loading with ObjectInputStream is no longer used.
Commit with the fix:
https://github.com/apache/mina-sshd/commit/39df1ebb7f34989c1578935b8cc157220a647233
Security advisory:
https://lists.apache.org/thread/hq14sb9rfkrqkbyo8vsyq7oyppns27bw
Release notes:
https://issues.apache.org/jira/browse/SSHD-1296
Upgrade to Apache MINA SSHD 2.9.2 or later
- If you can’t upgrade, never use SimpleGeneratorHostKeyProvider with untrusted or publicly writable files
Reference Links
- Apache MINA SSHD Security Advisory - CVE-2022-45047
- CVE Details Entry
- Exploit Writing with ysoserial
- Apache JIRA Issue
Final Thoughts
If you build or maintain Java applications that embed an SSH server, never trust deserialized objects from disk, especially for sensitive elements like keys. Whether or not you're a MINA SSHD user, this vulnerability is a classic case of how one insecure design choice can let attackers run code on your server.
Stay safe—review your dependencies, avoid deserialization of untrusted data, and keep your libraries up to date.
If you liked this deep dive, share it with fellow sysadmins or Java teams—prevention is everyone's job!
Timeline
Published on: 11/16/2022 09:15:00 UTC
Last modified on: 11/18/2022 18:09:00 UTC