[jira] [Created] (HDDS-7760) snakeyaml workaround due to CVE-2022-1471

["Rohit Kumar Badeau (Jira)" <ji...@apache.org>]

Rohit Kumar Badeau created HDDS-7760:
----------------------------------------

             Summary: snakeyaml workaround due to CVE-2022-1471
                 Key: HDDS-7760
                 URL: https://issues.apache.org/jira/browse/HDDS-7760
             Project: Apache Ozone
          Issue Type: Task
            Reporter: Rohit Kumar Badeau
            Assignee: Rohit Kumar Badeau


Upgrade snakeyaml due to CVE-2022-1471

CVE-2022-1471 - SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization.

CVSSv3 Score:- 9.8(Critical)

[https://nvd.nist.gov/vuln/detail/CVE-2022-1471]

This CVE is affecting snakeyaml upto snakeyaml:1.33 and this is the latest available version.

This is a critical CVE with 9.8 CVSS Score. So until the fixed version is released, the CVE can be work upon by doing the changes in the code.

*_The workaround for this is to go through the code and and identify the usage of constructor() class of snakeYAML and replace it with SafeConstructor()._*

[https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in]

    
Note that the SnakeYaml documentation states: It is not safe to call * *_ _{{_Yaml.load()}}_*  *\{_}{_}with any data received from an untrusted{_}* {_}{*}{{*}}{_}{*}_source!_{*} {*}{{*}}* {_}{{_}}The method _{{_Yaml.load()}}_ _converts a YAML document to a Java object._
Used by default, as shown below.
Yaml yaml = new Yaml(new SafeConstructor());



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org