[jira] [Updated] (HDDS-7760) Let ContainerDataConstructor extend SafeConstructor

Wed, 11 Jan 2023 04:39:09 -0800 


     [ 
https://issues.apache.org/jira/browse/HDDS-7760?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Attila Doroszlai updated HDDS-7760:
-----------------------------------
    Summary: Let ContainerDataConstructor extend SafeConstructor  (was: 
snakeyaml workaround due to CVE-2022-1471)

> Let ContainerDataConstructor extend SafeConstructor
> ---------------------------------------------------
>
>                 Key: HDDS-7760
>                 URL: https://issues.apache.org/jira/browse/HDDS-7760
>             Project: Apache Ozone
>          Issue Type: Task
>            Reporter: Rohit Kumar Badeau
>            Assignee: Rohit Kumar Badeau
>            Priority: Major
>              Labels: pull-request-available
>
> Upgrade snakeyaml due to CVE-2022-1471
> CVE-2022-1471 - SnakeYaml's Constructor() class does not restrict types which 
> can be instantiated during deserialization. Deserializing yaml content 
> provided by an attacker can lead to remote code execution. We recommend using 
> SnakeYaml's SafeConsturctor when parsing untrusted content to restrict 
> deserialization.
> CVSSv3 Score:- 9.8(Critical)
> [https://nvd.nist.gov/vuln/detail/CVE-2022-1471]
> This CVE is affecting snakeyaml upto snakeyaml:1.33 and this is the latest 
> available version.
> This is a critical CVE with 9.8 CVSS Score. So until the fixed version is 
> released, the CVE can be work upon by doing the changes in the code.
> *_The workaround for this is to go through the code and and identify the 
> usage of constructor() class of snakeYAML and replace it with 
> SafeConstructor()._*
> [https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in]
>     
> Note that the SnakeYaml documentation states: It is not safe to call * *_ 
> _{{_Yaml.load()}}_*  *\{_}{_}with any data received from an untrusted{_}* 
> {_}{*}{{*}}{_}{*}_source!_{*} {*}{{*}}* {_}{{_}}The method _{{_Yaml.load()}}_ 
> _converts a YAML document to a Java object._
> Used by default, as shown below.
> Yaml yaml = new Yaml(new SafeConstructor());



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to