This CVE is assigned to SSH for a general issue in the protocol as specified in the RFC, rather than a specific implementation (e.g., OpenSSH). As such, it is virtually impossible to fix without breaking compatibility. OpenSSH 8.4 introduced a partial mitigation to make exploitation harder, but outside of this there’s no known complete fix.

The vulnerability allows attackers to discern between possible target clients for a MitM-attack and those who have already connected to the target server and thus aren't vulnerable (they have stored the server's key already). Generally, after updating to 8.4, there's nothing you can do but accept the remaining risk.

<aside> ⚠️

The National Vulnerability Database (NVD) claims that this issue only affects OpenSSH < 8.4. This is not completely true as the core issue is not an implementation bug and OpenSSH ≥ 8.4 is still somewhat vulnerable to this issue.

</aside>