{ "document":{ "aggregate_severity":{ "namespace":"https://nvd.nist.gov/vuln-metrics/cvss", "text":"Medium" }, "category":"csaf_vex", "csaf_version":"2.0", "distribution":{ "tlp":{ "label":"WHITE", "url":"https:/www.first.org/tlp/" } }, "lang":"en", "notes":[ { "text":"apache-sshd security update", "category":"general", "title":"Synopsis" }, { "text":"An update for apache-sshd is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2.", "category":"general", "title":"Summary" }, { "text":"Apache SSHD is a 100% pure java library to support the SSH protocols on both the client and server side.\n\nSecurity Fix(es):\n\nA vulnerability in sshd-core of Apache Mina SSHD allows an attacker to overflow the server causing an OutOfMemory error. This issue affects the SFTP and port forwarding features of Apache Mina SSHD version 2.0.0 and later versions. It was addressed in Apache Mina SSHD 2.7.0(CVE-2021-30129)", "category":"general", "title":"Description" }, { "text":"An update for apache-sshd is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2.\n\nopenEuler Security has rated this update as having a security impact of medium. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.", "category":"general", "title":"Topic" }, { "text":"Medium", "category":"general", "title":"Severity" }, { "text":"apache-sshd", "category":"general", "title":"Affected Component" } ], "publisher":{ "issuing_authority":"openEuler security committee", "name":"openEuler", "namespace":"https://www.openeuler.org", "contact_details":"openeuler-security@openeuler.org", "category":"vendor" }, "references":[ { "summary":"openEuler-SA-2021-1312", "category":"self", "url":"https://openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2021-1312" }, { "summary":"CVE-2021-30129", "category":"self", "url":"https://openeuler.org/en/security/cve/detail?cveId=CVE-2021-30129&packageName=apache-sshd" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2021-30129" }, { "summary":"openEuler-SA-2021-1312 vex file", "category":"self", "url":"https://repo.openeuler.org/security/data/csaf/advisories/2021/csaf-openeuler-sa-2021-1312.json" } ], "title":"An update for apache-sshd is now available for openEuler-20.03-LTS-SP1 and openEuler-20.03-LTS-SP2", "tracking":{ "initial_release_date":"2021-08-20T09:21:50+08:00", "revision_history":[ { "date":"2021-08-20T09:21:50+08:00", "summary":"Initial", "number":"1.0.0" }, { "date":"2024-10-31T09:21:50+08:00", "summary":"final", "number":"2.0.0" } ], "generator":{ "date":"2024-10-31T09:21:50+08:00", "engine":{ "name":"openEuler CSAF Tool V1.0" } }, "current_release_date":"2024-10-31T09:21:50+08:00", "id":"openEuler-SA-2021-1312", "version":"2.0.0", "status":"final" } }, "product_tree":{ "branches":[ { "name":"openEuler", "category":"vendor", "branches":[ { "name":"openEuler", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP1" }, "product_id":"openEuler-20.03-LTS-SP1", "name":"openEuler-20.03-LTS-SP1" }, "name":"openEuler-20.03-LTS-SP1", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP2" }, "product_id":"openEuler-20.03-LTS-SP2", "name":"openEuler-20.03-LTS-SP2" }, "name":"openEuler-20.03-LTS-SP2", "category":"product_version" } ], "category":"product_name" }, { "name":"noarch", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP1" }, "product_id":"apache-sshd-javadoc-2.2.0-2.oe1.noarch.rpm(20.03-LTS-SP1)", "name":"apache-sshd-javadoc-2.2.0-2.oe1.noarch.rpm" }, "name":"apache-sshd-javadoc-2.2.0-2.oe1.noarch.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP1" }, "product_id":"apache-sshd-2.2.0-2.oe1.noarch.rpm(20.03-LTS-SP1)", "name":"apache-sshd-2.2.0-2.oe1.noarch.rpm" }, "name":"apache-sshd-2.2.0-2.oe1.noarch.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP2" }, "product_id":"apache-sshd-2.2.0-2.oe1.noarch.rpm(20.03-LTS-SP2)", "name":"apache-sshd-2.2.0-2.oe1.noarch.rpm" }, "name":"apache-sshd-2.2.0-2.oe1.noarch.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP2" }, "product_id":"apache-sshd-javadoc-2.2.0-2.oe1.noarch.rpm(20.03-LTS-SP2)", "name":"apache-sshd-javadoc-2.2.0-2.oe1.noarch.rpm" }, "name":"apache-sshd-javadoc-2.2.0-2.oe1.noarch.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"src", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP1" }, "product_id":"apache-sshd-2.2.0-2.oe1.src.rpm(20.03-LTS-SP1)", "name":"apache-sshd-2.2.0-2.oe1.src.rpm" }, "name":"apache-sshd-2.2.0-2.oe1.src.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP2" }, "product_id":"apache-sshd-2.2.0-2.oe1.src.rpm(20.03-LTS-SP2)", "name":"apache-sshd-2.2.0-2.oe1.src.rpm" }, "name":"apache-sshd-2.2.0-2.oe1.src.rpm", "category":"product_version" } ], "category":"architecture" } ] } ], "relationships":[ { "relates_to_product_reference":"openEuler-20.03-LTS-SP1", "product_reference":"apache-sshd-javadoc-2.2.0-2.oe1.noarch.rpm(20.03-LTS-SP1)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP1:apache-sshd-javadoc-2.2.0-2.oe1.noarch", "name":"apache-sshd-javadoc-2.2.0-2.oe1.noarch as a component of openEuler-20.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP1", "product_reference":"apache-sshd-2.2.0-2.oe1.noarch.rpm(20.03-LTS-SP1)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP1:apache-sshd-2.2.0-2.oe1.noarch", "name":"apache-sshd-2.2.0-2.oe1.noarch as a component of openEuler-20.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP2", "product_reference":"apache-sshd-2.2.0-2.oe1.noarch.rpm(20.03-LTS-SP2)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP2:apache-sshd-2.2.0-2.oe1.noarch", "name":"apache-sshd-2.2.0-2.oe1.noarch as a component of openEuler-20.03-LTS-SP2" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP2", "product_reference":"apache-sshd-javadoc-2.2.0-2.oe1.noarch.rpm(20.03-LTS-SP2)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP2:apache-sshd-javadoc-2.2.0-2.oe1.noarch", "name":"apache-sshd-javadoc-2.2.0-2.oe1.noarch as a component of openEuler-20.03-LTS-SP2" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP1", "product_reference":"apache-sshd-2.2.0-2.oe1.src.rpm(20.03-LTS-SP1)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP1:apache-sshd-2.2.0-2.oe1.src", "name":"apache-sshd-2.2.0-2.oe1.src as a component of openEuler-20.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP2", "product_reference":"apache-sshd-2.2.0-2.oe1.src.rpm(20.03-LTS-SP2)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP2:apache-sshd-2.2.0-2.oe1.src", "name":"apache-sshd-2.2.0-2.oe1.src as a component of openEuler-20.03-LTS-SP2" }, "category":"default_component_of" } ] }, "vulnerabilities":[ { "cve":"CVE-2021-30129", "notes":[ { "text":"A vulnerability in sshd-core of Apache Mina SSHD allows an attacker to overflow the server causing an OutOfMemory error. This issue affects the SFTP and port forwarding features of Apache Mina SSHD version 2.0.0 and later versions. It was addressed in Apache Mina SSHD 2.7.0", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-20.03-LTS-SP1:apache-sshd-javadoc-2.2.0-2.oe1.noarch", "openEuler-20.03-LTS-SP1:apache-sshd-2.2.0-2.oe1.noarch", "openEuler-20.03-LTS-SP2:apache-sshd-2.2.0-2.oe1.noarch", "openEuler-20.03-LTS-SP2:apache-sshd-javadoc-2.2.0-2.oe1.noarch", "openEuler-20.03-LTS-SP1:apache-sshd-2.2.0-2.oe1.src", "openEuler-20.03-LTS-SP2:apache-sshd-2.2.0-2.oe1.src" ] }, "remediations":[ { "product_ids":[ "openEuler-20.03-LTS-SP1:apache-sshd-javadoc-2.2.0-2.oe1.noarch", "openEuler-20.03-LTS-SP1:apache-sshd-2.2.0-2.oe1.noarch", "openEuler-20.03-LTS-SP2:apache-sshd-2.2.0-2.oe1.noarch", "openEuler-20.03-LTS-SP2:apache-sshd-javadoc-2.2.0-2.oe1.noarch", "openEuler-20.03-LTS-SP1:apache-sshd-2.2.0-2.oe1.src", "openEuler-20.03-LTS-SP2:apache-sshd-2.2.0-2.oe1.src" ], "details":"apache-sshd security update", "category":"vendor_fix", "url":"https://openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2021-1312" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"MEDIUM", "baseScore":6.5, "vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version":"3.1" }, "products":[ "openEuler-20.03-LTS-SP1:apache-sshd-javadoc-2.2.0-2.oe1.noarch", "openEuler-20.03-LTS-SP1:apache-sshd-2.2.0-2.oe1.noarch", "openEuler-20.03-LTS-SP2:apache-sshd-2.2.0-2.oe1.noarch", "openEuler-20.03-LTS-SP2:apache-sshd-javadoc-2.2.0-2.oe1.noarch", "openEuler-20.03-LTS-SP1:apache-sshd-2.2.0-2.oe1.src", "openEuler-20.03-LTS-SP2:apache-sshd-2.2.0-2.oe1.src" ] } ], "threats":[ { "details":"Medium", "category":"impact" } ], "title":"CVE-2021-30129" } ] }