[ 
https://issues.apache.org/jira/browse/TOMEE-4169?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17675587#comment-17675587
 ] 

Richard Zowalla commented on TOMEE-4169:
----------------------------------------

snakeyaml in TomEE is a transient dependency from jackson-dataformat-yaml, 
which is used by OpenAPI.

According to the Jackson people, they are not affected 
https://github.com/FasterXML/jackson-dataformats-text/issues/361

Thus, I don't think, that we are affected as well.

> SnakeYAML - CVE-2022-1471
> -------------------------
>
>                 Key: TOMEE-4169
>                 URL: https://issues.apache.org/jira/browse/TOMEE-4169
>             Project: TomEE
>          Issue Type: Dependency upgrade
>          Components: TomEE Core Server
>    Affects Versions: 8.0.13
>            Reporter: Nikhil
>            Priority: Major
>
> The security have reported an issue with one of the library ( SnakeYAML ) 
> which is part of the TomEE distribution.
>  
> with TomEE 8.0.13 - we have this library updated to *1.30..* though it is 
> never mentioned about the affected versions of this jar but a following 
> information is provided -
> {color:#4c9aff}*The maintainers of SnakeYAML have stated in an 
> [advisory|https://bitbucket.org/snakeyaml/snakeyaml/wiki/CVE%20&%20NIST.md] 
> that SnakeYAML is not designed to be used to process YAML files from 
> untrusted sources.*{color}
> {color:#172b4d}We wanted to check if TomEE is vulnerable to this CVE since 
> there is nothing to update from SnakeYAML perspective but more of a 
> configuration / usage of its libraries in respective used projects (here 
> TomEE){color}
>  
> {color:#172b4d}Please help if there is already discussion around this and 
> would be happy to coordinate.{color}
>  
> {color:#172b4d}---------------{color}
>  
> {*}Summary{*}: SnakeYaml's Constructor() class does not restrict types which 
> can be instantiated during deserialization. Deserializing yaml content 
> provided by an attacker can lead to remote code execution. We recommend using 
> SnakeYaml's SafeConsturctor when parsing untrusted content to restrict 
> deserialization.
> {*}Solution{*}: N/A
> {*}Workaround{*}: N/A



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to