New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[SECURITY] JSch library is outdated and unmaintained, switch to mweide implementation #5608
Comments
Fortunately JSCH only appears in two SFTP classes in the file connector. This means that changing JSch implementations can be isolated to just the file connector. It can be built as its own extension, deployed, tested, etc. Whatever internal tickets, tasks, and testing were done for #4080 which was part of MC 4.1.0 can be repeated using the mweide JSch fork. @joaryche were the JSch updates for 4.1.0 just simply swapping JARs or was there more to it? |
I created a docker container which uses an image (atmoz/sftp) for SSH/SFTP. then ran my connector tests against the container. |
@lmillergithub Is there a reason that Jsch is in server-lib instead of with the File Reader/Writer extensions? |
https://github.com/mwiede/jsch/releases/tag/jsch-0.2.8 just released and mwiede/jsch#287 would be helpful in Mirth for cases where connections fail due to algo negotiation. |
https://github.com/jonbartels/connect/tree/5608-update-jsch-impl-to-mweide Have not tested yet but the change seems as simple as swapping JARs. I intend to follow John Andersons testing strategy. I could not find any other references where jsch was explicitly loaded. I kind of wanted to add a lib directory specific to the file connector but that seemed like a bigger change to the project layout and out of scope. |
Describe the security issue
JSCH has not published a release since 2018 http://www.jcraft.com/jsch/ChangeLog . Several changes in openssh (the most common SSH implementation) will no longer allow JSCH to connect with older, unsupported algorithms.
Suggested remediation
Additional context
Explanation of why jsch was forked
The text was updated successfully, but these errors were encountered: