Rohit Kumar Badeau created HDDS-7760:
----------------------------------------
Summary: snakeyaml workaround due to CVE-2022-1471
Key: HDDS-7760
URL: https://issues.apache.org/jira/browse/HDDS-7760
Project: Apache Ozone
Issue Type: Task
Reporter: Rohit Kumar Badeau
Assignee: Rohit Kumar Badeau
Upgrade snakeyaml due to CVE-2022-1471
CVE-2022-1471 - SnakeYaml's Constructor() class does not restrict types which
can be instantiated during deserialization. Deserializing yaml content provided
by an attacker can lead to remote code execution. We recommend using
SnakeYaml's SafeConsturctor when parsing untrusted content to restrict
deserialization.
CVSSv3 Score:- 9.8(Critical)
[https://nvd.nist.gov/vuln/detail/CVE-2022-1471]
This CVE is affecting snakeyaml upto snakeyaml:1.33 and this is the latest
available version.
This is a critical CVE with 9.8 CVSS Score. So until the fixed version is
released, the CVE can be work upon by doing the changes in the code.
*_The workaround for this is to go through the code and and identify the usage
of constructor() class of snakeYAML and replace it with SafeConstructor()._*
[https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in]
Note that the SnakeYaml documentation states: It is not safe to call * *_
_{{_Yaml.load()}}_* *\{_}{_}with any data received from an untrusted{_}*
{_}{*}{{*}}{_}{*}_source!_{*} {*}{{*}}* {_}{{_}}The method _{{_Yaml.load()}}_
_converts a YAML document to a Java object._
Used by default, as shown below.
Yaml yaml = new Yaml(new SafeConstructor());
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
