[
https://issues.apache.org/jira/browse/TOMEE-4169?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Richard Zowalla updated TOMEE-4169:
-----------------------------------
Fix Version/s: 8.0.14
> SnakeYAML - CVE-2022-1471
> -------------------------
>
> Key: TOMEE-4169
> URL: https://issues.apache.org/jira/browse/TOMEE-4169
> Project: TomEE
> Issue Type: Dependency upgrade
> Components: TomEE Core Server
> Affects Versions: 8.0.13
> Reporter: Nikhil
> Priority: Major
> Fix For: 8.0.14
>
>
> The security have reported an issue with one of the library ( SnakeYAML )
> which is part of the TomEE distribution.
>
> with TomEE 8.0.13 - we have this library updated to *1.30..* though it is
> never mentioned about the affected versions of this jar but a following
> information is provided -
> {color:#4c9aff}*The maintainers of SnakeYAML have stated in an
> [advisory|https://bitbucket.org/snakeyaml/snakeyaml/wiki/CVE%20&%20NIST.md]
> that SnakeYAML is not designed to be used to process YAML files from
> untrusted sources.*{color}
> {color:#172b4d}We wanted to check if TomEE is vulnerable to this CVE since
> there is nothing to update from SnakeYAML perspective but more of a
> configuration / usage of its libraries in respective used projects (here
> TomEE){color}
>
> {color:#172b4d}Please help if there is already discussion around this and
> would be happy to coordinate.{color}
>
> {color:#172b4d}---------------{color}
>
> {*}Summary{*}: SnakeYaml's Constructor() class does not restrict types which
> can be instantiated during deserialization. Deserializing yaml content
> provided by an attacker can lead to remote code execution. We recommend using
> SnakeYaml's SafeConsturctor when parsing untrusted content to restrict
> deserialization.
> {*}Solution{*}: N/A
> {*}Workaround{*}: N/A
--
This message was sent by Atlassian Jira
(v8.20.10#820010)