SnakeYaml vulnerability?

[rutger-gerritsen]

@nielsbasjes
yauaa-7.9.0.jar (shaded: org.yaml:snakeyaml:1.33) | Reference: CVE-2022-1471 | CVSS Score: 9.8 | Category: CWE-502 | SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization

• https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in
• https://github.com/nielsbasjes/yauaa/blob/v7.9.0/analyzer/src/main/java/nl/basjes/parse/useragent/config/ConfigLoader.java#L328

[nielsbasjes]

Thanks for the notification.

There are several things about this:

• Yauaa is on the latest available SnakeYaml version.
• Yauaa uses renovate to update dependencies asap and as soon as a new SnakeYaml version becomes available I'll put out a new Yauaa release.
• The constructor is only called in a hardcoded way in the library.
• The Yauaa library ONLY uses SnakeYaml to parse the serverside configuration.
  • Only Yaml files that are on the classpath (i.e. installed serverside) are parsed.
  • So only if you have access to the server side code you can inject new code ... which if you have serverside access you can do anyway.

[nielsbasjes]

Apparently they have not yet fixed it.
https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in

[nielsbasjes]

I double checked the code currently in use in Yauaa and it already uses the SafeConstructor as recommended.

[nielsbasjes]

To summarize:

• Yauaa uses this library in a way that (according to the documentation) will not trigger this problem.
• As soon as there is a new version Yauaa will be updated and the next release will use that.

[nielsbasjes]

Snakeyaml released 2.0 today which includes a fix for this.

[nielsbasjes]

I have released 7.14.1 which includes this new snakeyaml version.