You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@ozone.apache.org by "ASF GitHub Bot (Jira)" <ji...@apache.org> on 2023/01/09 17:19:00 UTC

[jira] [Updated] (HDDS-7760) snakeyaml workaround due to CVE-2022-1471

     [ https://issues.apache.org/jira/browse/HDDS-7760?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

ASF GitHub Bot updated HDDS-7760:
---------------------------------
    Labels: pull-request-available  (was: )

> snakeyaml workaround due to CVE-2022-1471
> -----------------------------------------
>
>                 Key: HDDS-7760
>                 URL: https://issues.apache.org/jira/browse/HDDS-7760
>             Project: Apache Ozone
>          Issue Type: Task
>            Reporter: Rohit Kumar Badeau
>            Assignee: Rohit Kumar Badeau
>            Priority: Major
>              Labels: pull-request-available
>
> Upgrade snakeyaml due to CVE-2022-1471
> CVE-2022-1471 - SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization.
> CVSSv3 Score:- 9.8(Critical)
> [https://nvd.nist.gov/vuln/detail/CVE-2022-1471]
> This CVE is affecting snakeyaml upto snakeyaml:1.33 and this is the latest available version.
> This is a critical CVE with 9.8 CVSS Score. So until the fixed version is released, the CVE can be work upon by doing the changes in the code.
> *_The workaround for this is to go through the code and and identify the usage of constructor() class of snakeYAML and replace it with SafeConstructor()._*
> [https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in]
>     
> Note that the SnakeYaml documentation states: It is not safe to call * *_ _{{_Yaml.load()}}_*  *\{_}{_}with any data received from an untrusted{_}* {_}{*}{{*}}{_}{*}_source!_{*} {*}{{*}}* {_}{{_}}The method _{{_Yaml.load()}}_ _converts a YAML document to a Java object._
> Used by default, as shown below.
> Yaml yaml = new Yaml(new SafeConstructor());



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org