[jira] [Commented] (CASSANDRA-17907) Remediate CVE-2022-25857 - org.yaml_snakeyaml version 1.26 has vulnerabilities

Tue, 20 Sep 2022 07:32:29 -0700 


    [ 
https://issues.apache.org/jira/browse/CASSANDRA-17907?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17607247#comment-17607247
 ] 

Brandon Williams commented on CASSANDRA-17907:
----------------------------------------------

CVE-2022-38750, CVE-2022-38751, CVE-2022-38752, CVE-2022-38749: DoS if parsing 
untrusted files
CVE-2022-25857: DoS due to limitation in nested collections

None of these affect us unless operators DoS themselves, so here are patches to 
suppress:

||Branch||CI||
|[3.11|https://github.com/driftx/cassandra/tree/CASSANDRA-17907-3.11]|[j8|https://app.circleci.com/pipelines/github/driftx/cassandra/642/workflows/b8769258-f173-4359-93ac-def3fe70ca74]|
|[4.0|https://github.com/driftx/cassandra/tree/CASSANDRA-17907-4.0]|[j8|https://app.circleci.com/pipelines/github/driftx/cassandra/640/workflows/b8c61e1e-4da4-4665-99dc-5022eb313b48],
 
[j11|https://app.circleci.com/pipelines/github/driftx/cassandra/640/workflows/3dae8a21-fdf2-4b51-be44-6c490672623e]|
|[4.1|https://github.com/driftx/cassandra/tree/CASSANDRA-17907-4.1]|[j8|https://app.circleci.com/pipelines/github/driftx/cassandra/641/workflows/4ddc8bfd-a9f2-4eb5-b566-affcfd57bed9],
 
[j11|https://app.circleci.com/pipelines/github/driftx/cassandra/641/workflows/753899cd-65aa-4ec0-b48c-e53f46219836]|
|[trunk|https://github.com/driftx/cassandra/tree/CASSANDRA-17907-trunk]|[j8|https://app.circleci.com/pipelines/github/driftx/cassandra/643/workflows/168ea9b1-cb6d-46f3-9a3d-a460b50c44da],
 
[j11|https://app.circleci.com/pipelines/github/driftx/cassandra/643/workflows/60cb2510-17a7-4f3a-a027-9468a0889cb4]|


> Remediate CVE-2022-25857 - org.yaml_snakeyaml version 1.26 has vulnerabilities
> ------------------------------------------------------------------------------
>
>                 Key: CASSANDRA-17907
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-17907
>             Project: Cassandra
>          Issue Type: Bug
>          Components: Dependencies
>            Reporter: deepagkanaka
>            Assignee: Brandon Williams
>            Priority: Normal
>             Fix For: 3.11.x, 4.0.x, 4.1.x
>
>
> |org.yaml_snakeyaml|[CVE-2022-25857|https://nvd.nist.gov/vuln/detail/CVE-2022-25857]|Fixed
>  in: 1.31
> 21 days ago| |6|Impacted versions: <1.31
> Discovered: a day ago
> Published: 21 days ago
> The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to 
> Denial of Service (DoS) due missing to nested depth limitation for 
> collections.|



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to