Terrapin Vulnerability CVE-2023-48795

Question

Terrapin Vulnerability CVE-2023-48795

hannosgit opened this issue 6 months ago · comments

Hi!

Is this library affected by the Terrapin Vulnerability ?
I tried this library with Terrapin-Scanner and the output of the scanner says that SSHJ is affected:

G:\Downloads>Terrapin_Scanner_Windows_amd64.exe --listen 2222
Listening for incoming client connection on 127.0.0.1:2222
================================================================================
==================================== Report ====================================
================================================================================

Remote Banner: SSH-2.0-SSHJ_0.37.0

ChaCha20-Poly1305 support:   true
CBC-EtM support:             true

Strict key exchange support: false

==> The scanned peer is VULNERABLE to Terrapin.

Note: This tool is provided as is, with no warranty whatsoever. It determines
      the vulnerability of a peer by checking the supported algorithms and
      support for strict key exchange. It may falsely claim a peer to be
      vulnerable if the vendor supports countermeasures other than strict key
      exchange.

For more details visit our website available at https://terrapin-attack.com

Ilmari Karonen · Answer 1 · Fri Dec 29 2023 20:36:09 GMT+0800 (China Standard Time)

Are we going to get a new release with this fix soon? SSHJ is still showing up as "To be released" on https://terrapin-attack.com/patches.html 🤔 I know it's the holidays and all, I'm just curious and wanted to make sure this didn't slip through the cracks and get forgotten or something. 😃