[I] Nmap can scan the version number of Apache mina sshd. Attackers may obtain the version number and find the corresponding vulnerability to attack the system. [mina-sshd]

Mon, 22 Jun 2026 02:08:35 -0700 


9096tyz opened a new issue, #903:
URL: https://github.com/apache/mina-sshd/issues/903

   ### Version
   
   2.15.0
   
   ### Bug description
   
   Nmap can scan the version number of Apache mina sshd. Attackers may obtain 
the version number and find the corresponding vulnerability to attack the 
system.
   
   ### Actual behavior
   
   Nmap can scan the version number of Apache mina sshd. Attackers may obtain 
the version number and find the corresponding vulnerability to attack the 
system.
   
   ### Expected behavior
   
   We hope that open source software will give us a way to hide version 
information.
   
   ### Relevant log output
   
   ```Shell
   For details about the problem symptom and code segment, see the Other 
information sections.We want to modify it, but we don't have a public method to 
modify it.
   
   1、org/apache/sshd/common/session/helpers/SessionHelper.java :  
   protected String resolveIdentificationString(String configPropName) {
           FactoryManager manager = getFactoryManager();
           String ident = manager.getString(configPropName);
           return SessionContext.DEFAULT_SSH_VERSION_PREFIX + 
(GenericUtils.isEmpty(ident) ? manager.getVersion() : ident);
       }
   protected ,we can not change it。
   
   2、org/apache/sshd/client/session/AbstractClientSession.java:
       protected IoWriteFuture sendClientIdentification() throws Exception {
           clientVersion = 
resolveIdentificationString(CoreModuleProperties.CLIENT_IDENTIFICATION.getName());
           // Note: we intentionally use an unmodifiable list in order to 
enforce the fact that client cannot send header lines
           signalSendIdentification(clientVersion, Collections.emptyList());
           return sendIdentification(clientVersion, Collections.emptyList());
       }
   The clientVersion  is protected。
   ```
   
   ### Other information
   
   Thank U!


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to