[jira] [Updated] (HDDS-7760) Let ContainerDataConstructor extend SafeConstructor

Wed, 11 Jan 2023 04:41:36 -0800 


     [ 
https://issues.apache.org/jira/browse/HDDS-7760?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Attila Doroszlai updated HDDS-7760:
-----------------------------------
    Description: Let {{ContainerDataConstructor}} extend {{SafeConstructor}} 
instead of {{Constructor}} to restrict object creation.  (was: Upgrade 
snakeyaml due to CVE-2022-1471

CVE-2022-1471 - SnakeYaml's Constructor() class does not restrict types which 
can be instantiated during deserialization. Deserializing yaml content provided 
by an attacker can lead to remote code execution. We recommend using 
SnakeYaml's SafeConsturctor when parsing untrusted content to restrict 
deserialization.

CVSSv3 Score:- 9.8(Critical)

[https://nvd.nist.gov/vuln/detail/CVE-2022-1471]

This CVE is affecting snakeyaml upto snakeyaml:1.33 and this is the latest 
available version.

This is a critical CVE with 9.8 CVSS Score. So until the fixed version is 
released, the CVE can be work upon by doing the changes in the code.

*_The workaround for this is to go through the code and and identify the usage 
of constructor() class of snakeYAML and replace it with SafeConstructor()._*

[https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in]

    
Note that the SnakeYaml documentation states: It is not safe to call * *_ 
_{{_Yaml.load()}}_*  *\{_}{_}with any data received from an untrusted{_}* 
{_}{*}{{*}}{_}{*}_source!_{*} {*}{{*}}* {_}{{_}}The method _{{_Yaml.load()}}_ 
_converts a YAML document to a Java object._
Used by default, as shown below.
Yaml yaml = new Yaml(new SafeConstructor());)

> Let ContainerDataConstructor extend SafeConstructor
> ---------------------------------------------------
>
>                 Key: HDDS-7760
>                 URL: https://issues.apache.org/jira/browse/HDDS-7760
>             Project: Apache Ozone
>          Issue Type: Task
>            Reporter: Rohit Kumar Badeau
>            Assignee: Rohit Kumar Badeau
>            Priority: Major
>              Labels: pull-request-available
>
> Let {{ContainerDataConstructor}} extend {{SafeConstructor}} instead of 
> {{Constructor}} to restrict object creation.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to