[SECURITY] JSch library is outdated and unmaintained, switch to mweide implementation

[jonbartels]

Describe the security issue
JSCH has not published a release since 2018 http://www.jcraft.com/jsch/ChangeLog . Several changes in openssh (the most common SSH implementation) will no longer allow JSCH to connect with older, unsupported algorithms.

Suggested remediation

• Switch JSCH implementation to https://github.com/mwiede/jsch which is a drop in replacement and is routinely releasing updates https://github.com/mwiede/jsch/releases
• Automate the MC build processes so that JSCH updates from mweide are automatically incorporated into each MC release

Additional context
Explanation of why jsch was forked

[jonbartels]

Fortunately JSCH only appears in two SFTP classes in the file connector.

This means that changing JSch implementations can be isolated to just the file connector. It can be built as its own extension, deployed, tested, etc.

Whatever internal tickets, tasks, and testing were done for #4080 which was part of MC 4.1.0 can be repeated using the mweide JSch fork. @joaryche were the JSch updates for 4.1.0 just simply swapping JARs or was there more to it?

[joaryche]

I created a docker container which uses an image (atmoz/sftp) for SSH/SFTP. then ran my connector tests against the container.

[tonygermano]

@lmillergithub Is there a reason that Jsch is in server-lib instead of with the File Reader/Writer extensions?

[jonbartels]

The user "Joe Clark" did an experiment in Slack swapping in the mweide JAR. Joe posted some errors:

This is actually GOOD.

1. The library appears to "just work"
2. See how the mweide errors show more detail about the problem? This additional detail is an improvement over old jsch because it shows information about keys

Joe has not done a complete, successful experiment but I think Joe has shown that the mweide JAR has merit.

https://mirthconnect.slack.com/archives/C02SW0K4D/p1675982566199079?thread_ts=1675722960.061319&cid=C02SW0K4D

[jonbartels]

https://github.com/mwiede/jsch/releases/tag/jsch-0.2.8 just released and mwiede/jsch#287 would be helpful in Mirth for cases where connections fail due to algo negotiation.

[jonbartels]

https://github.com/jonbartels/connect/tree/5608-update-jsch-impl-to-mweide

Have not tested yet but the change seems as simple as swapping JARs. I intend to follow John Andersons testing strategy.

I could not find any other references where jsch was explicitly loaded.

I kind of wanted to add a lib directory specific to the file connector but that seemed like a bigger change to the project layout and out of scope.