[
https://issues.apache.org/jira/browse/STORM-3918?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17722248#comment-17722248
]
Alexandre Vermeerbergen commented on STORM-3918:
------------------------------------------------
Strange: in master, I see that snakeyaml version pom.xml already has been set
to 2.0.
Yet I find no Jira about this upgrade : last Jira on SnakeYaml update is:
https://issues.apache.org/jira/browse/STORM-3889
I can close this Jira as "already done", but it's a shame not to have
tracking...
> Bump snakeyaml from 1.32 to 2.0
> -------------------------------
>
> Key: STORM-3918
> URL: https://issues.apache.org/jira/browse/STORM-3918
> Project: Apache Storm
> Issue Type: Bug
> Components: storm-core
> Affects Versions: 2.4.0
> Reporter: Alexandre Vermeerbergen
> Assignee: Alexandre Vermeerbergen
> Priority: Critical
>
> Current snakeyaml version is vulnerable to
> [CVE-2022-1471|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1471]
> which is rated [9.8
> CRITICAL|https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2022-1471&vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H&version=3.1&source=NIST]
> by NIST.
> Trivial fix is to update to snakeyaml 2.0.
> I tried to manually replace existing snakeyaml JAR with 2.0 version (but
> keeping the same JAR file name to avoid issue with potentially hard coded
> CLASSPATH), and then I restarted all Storm related processes (Nimbus,
> logview, Supervisor, Nimbus UI...) and deployed some topologies => everything
> worked fine
> So it looks like a trivial task
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
