You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@ozone.apache.org by "Rohit Kumar Badeau (Jira)" <ji...@apache.org> on 2023/01/09 17:04:00 UTC
[jira] [Created] (HDDS-7760) snakeyaml workaround due to CVE-2022-1471
Rohit Kumar Badeau created HDDS-7760:
----------------------------------------
Summary: snakeyaml workaround due to CVE-2022-1471
Key: HDDS-7760
URL: https://issues.apache.org/jira/browse/HDDS-7760
Project: Apache Ozone
Issue Type: Task
Reporter: Rohit Kumar Badeau
Assignee: Rohit Kumar Badeau
Upgrade snakeyaml due to CVE-2022-1471
CVE-2022-1471 - SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization.
CVSSv3 Score:- 9.8(Critical)
[https://nvd.nist.gov/vuln/detail/CVE-2022-1471]
This CVE is affecting snakeyaml upto snakeyaml:1.33 and this is the latest available version.
This is a critical CVE with 9.8 CVSS Score. So until the fixed version is released, the CVE can be work upon by doing the changes in the code.
*_The workaround for this is to go through the code and and identify the usage of constructor() class of snakeYAML and replace it with SafeConstructor()._*
[https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in]
Note that the SnakeYaml documentation states: It is not safe to call * *_ _{{_Yaml.load()}}_* *\{_}{_}with any data received from an untrusted{_}* {_}{*}{{*}}{_}{*}_source!_{*} {*}{{*}}* {_}{{_}}The method _{{_Yaml.load()}}_ _converts a YAML document to a Java object._
Used by default, as shown below.
Yaml yaml = new Yaml(new SafeConstructor());
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org