Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2022-1471 - A new vulnerability in SnakeYaml 1.30+ #33457

Closed
albertwangnz opened this issue Dec 4, 2022 · 28 comments
Closed

CVE-2022-1471 - A new vulnerability in SnakeYaml 1.30+ #33457

albertwangnz opened this issue Dec 4, 2022 · 28 comments
Labels
status: invalid An issue that we don't feel is valid

Comments

@albertwangnz
Copy link

CVE-2022-1471 has been reported against the SnakeYaml project 1.30+. More information can be found in the google/security-research project security post.

At this stage, SnakeYaml has no patch to fix it. A new issue has been created on SnakeYaml's Bitbucket project.

The description says We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization.

Spring Boot uses SnakeYaml so potentially could be impacted. Can somebody (@bclozel) help with checking how Spring Boot uses SnakeYaml since Spring Boot may not be impacted by the vulnerability?

Thank you.

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Dec 4, 2022
@philwebb
Copy link
Member

philwebb commented Dec 5, 2022

Thanks for the information.

Spring Boot already uses SafeConstructor internally so I don't think there are any changes we need to make. Furthermore, typically Spring Boot application only use SnakeYaml to parse application.yaml files, which should be trusted already.

Users that use SnakeYaml directly to parse data from untrusted sources should implement their own mitigation strategies.

@philwebb philwebb closed this as completed Dec 5, 2022
@philwebb philwebb added status: invalid An issue that we don't feel is valid and removed status: waiting-for-triage An issue we've not yet triaged labels Dec 5, 2022
@albertwangnz
Copy link
Author

@philwebb Thanks a lot. Those are the information I am looking for.

@bisvo01
Copy link

bisvo01 commented Dec 6, 2022

Is Spring Boot 2.7.x still supported? The unsafe Constructor is still used there.

@bclozel
Copy link
Member

bclozel commented Dec 6, 2022

@bisvo01 Spring Boot 2.7.x is currently supported, see our support timeline page. We'll do another pass in our codebase to ensure that we're using the safe constructor variant - but in general, Spring Boot is only parsing yaml from trusted sources. Using SafeConstructor is especially useful when you're parsing untrusted content.

@philwebb
Copy link
Member

@bisvo01 I just double checked YamlJsonParser in 2.7 and I don't think it's susceptible to the CVE since it already limits the types that can be created.

sumanmaity1234 added a commit to otto-de/gitactionboard that referenced this issue Dec 12, 2022
@AmigaBlitter
Copy link

@bisvo01 I just double checked YamlJsonParser in 2.7 and I don't think it's susceptible to the CVE since it already limits the types that can be created.

Thank you for the analysis.

Is Spring Boot 2.5.x susceptible to the CVE?
Thank you in advance.

@bclozel
Copy link
Member

bclozel commented Dec 13, 2022

@AmigaBlitter it's not, unless your application is using SnakeYaml to deserialize untrusted input. I think the biggest security risk right now is being in production with a Spring Boot version that's not supported anymore (unless you've got commercial support).

@AmigaBlitter
Copy link

Thank you for the reply.

@jpcmonster
Copy link

@philwebb does the statement regarding SafeConstructur also cover https://github.com/springdoc/springdoc-openapi ?
I am guessing no, but I am asking for completeness - thanks!

@scottfrederick
Copy link
Contributor

@jpcmonster springdoc-openapi is not a Spring Framework project (despite having "spring" in the name). It is maintained by a completely separate group. Any questions about that project should be asked in its repository.

@jpcmonster
Copy link

@jpcmonster springdoc-openapi is not a Spring Framework project (despite having "spring" in the name). It is maintained by a completely separate group. Any questions about that project should be asked in its repository.

thanks for your reply; I suspected so and have followed up there.

@sreekanth-tf
Copy link

sreekanth-tf commented Dec 22, 2022

@philwebb @bclozel Is it safe to exclude the snakeyaml dependency if we are using the application.properties instead of application.yml?

@philwebb
Copy link
Member

@sreekanth-tf Yes, it should be fine as long as you don't have any .yml files. If you do, this exception will be thrown.

@sreekanth-tf
Copy link

thank you @philwebb!

@fabionoth
Copy link

Thanks : )

@bclozel
Copy link
Member

bclozel commented Feb 28, 2023

We are aware that SnakeYaml 2.0 has been released, fixing this CVE. The team is working on an upgrade strategy. Also see spring-projects/spring-framework#30048.

@dlipofsky
Copy link

@wilkinsona, I would be referring to having SpringBoot 2.7.x use snakeyaml 2.0. I can see that spring-boot-starter 2.7.10 pom pulls in snakeyaml 1.30. I scanned the ticket you refer to, it sounds like "one person tried it and it didn't break". I suppose I could try it. It also sounds like there might be some jackson compatibility issues that would burn me anyway unless I also upgrade jackson.

@wilkinsona
Copy link
Member

I would be referring to having SpringBoot 2.7.x use snakeyaml 2.0

The issue to which I already linked answer this.

I scanned the ticket you refer to, it sounds like "one person tried it and it didn't break". I suppose I could try it.

The commit that closed that issue to which I already linked adds a test that verifies that it works for loading application.yaml.

there might be some jackson compatibility issues

Correct. Compatibility of code that the Spring Boot team does not maintain is out of the Spring Boot team's control.

@pexa-slee
Copy link

in your POM add in
<snakeyaml.version>2.0</snakeyaml.version>

nidhi-nair added a commit to appsmithorg/appsmith that referenced this issue Jun 8, 2023
## Description
Upgrades SnakeYaml dependency version forcefully to 2.0 to overcome
[this
issue](spring-projects/spring-boot#33457), as
advised
[here](spring-projects/spring-boot#34405 (comment)).

This version tag can be reverted when we upgrade to Spring 6.1, which is
when the library
[aims](spring-projects/spring-framework#30048 (comment))
to upgrade the version themselves.

Fixes appsmithorg/appsmith-ee#1233

#### Type of change
- Chore (housekeeping or task changes that don't impact user perception)

## Testing
This PR will be tested during regression.

---------

Co-authored-by: Arpit Mohan <[email protected]>
Co-authored-by: Shrikant Sharat Kandula <[email protected]>
dabico added a commit to seart-group/ghs that referenced this issue Aug 11, 2023
dabico added a commit to seart-group/ghs that referenced this issue Aug 11, 2023
@wilkinsona wilkinsona unpinned this issue Sep 12, 2023
lefteris-tsallas-leanix added a commit to leanix/vsm-sbom-booster that referenced this issue Sep 13, 2023
This is a false positive as stated here spring-projects/spring-boot#33457 and since we are not doing any manual yaml parsing. However, we can update to v2.2 to completely remove the snakeyaml 1.33 from our jars.
lefteris-tsallas-leanix added a commit to leanix/vsm-github-broker that referenced this issue Sep 13, 2023
This one is a derived dependency of spring-boot, and we are already in the latest spring boot version. This is a false positive as stated here spring-projects/spring-boot#33457 and since we are not doing any manual yaml parsing. However, we can update to v2.2 to completely remove the snakeyaml 1.33 from our jars.
geoandri pushed a commit to leanix/vsm-github-broker that referenced this issue Sep 13, 2023
This one is a derived dependency of spring-boot, and we are already in the latest spring boot version. This is a false positive as stated here spring-projects/spring-boot#33457 and since we are not doing any manual yaml parsing. However, we can update to v2.2 to completely remove the snakeyaml 1.33 from our jars.
mohamedlajmileanix pushed a commit to leanix/vsm-github-broker that referenced this issue Oct 25, 2023
This one is a derived dependency of spring-boot, and we are already in the latest spring boot version. This is a false positive as stated here spring-projects/spring-boot#33457 and since we are not doing any manual yaml parsing. However, we can update to v2.2 to completely remove the snakeyaml 1.33 from our jars.
@swiss-chris
Copy link

We're using Spring Boot 3.1.5 in many projects. If I look at the spring-boot-dependencies artifact for this version, I still see <snakeyaml.version>1.33</snakeyaml.version>

when are you planning to change this to 2.0, so that we don't have to temporarily patch this maven property in all our projects (and then remember to remove it again in the future) ?

@bclozel
Copy link
Member

bclozel commented Nov 16, 2023

@swiss-chris Spring Boot 3.2.0, see #37331

@swiss-chris
Copy link

@bclozel The PR you linked has a commit which upgrades snakeyaml 2.1 to library("SnakeYAML", "2.2"). My problem seems to be a different one. I would like <snakeyaml.version>2.0</snakeyaml.version> inside spring-boot-dependencies of Spring Boot 3.x.

@bclozel
Copy link
Member

bclozel commented Nov 16, 2023

@swiss-chris we've upgraded to the latest SnakeYaml minor version (2.2) in Spring Boot 3.2. You can check the dependencies POM here. The issue I've pointed you to does just that, upgrading the SnakeYaml version in our dependency management.

@swiss-chris
Copy link

@bclozel thanks for the clarification. As Spring Boot 3.2 is already in RC2, I assume it will be in GA soon ... (?).

@bclozel
Copy link
Member

bclozel commented Nov 16, 2023

Yes, it will be out soon. You can check our release dates on the milestone page and on our public release calendar.

@swiss-chris
Copy link

Awesome!

jojule referenced this issue in vaadin/platform Aug 4, 2024
…ies (#3677)

* chore: add specific module for SBOM generation

* chore: workflow adjustmets

* chore: update license whitelist

* chore: add sso and k8s kits

* enclose frontend build in a profile

* chore: publish SBOM in release

* fix failure when using snapshots in java versions

* rename report files, and save with the artifacts

* fix hasOssToken by moving it to the cmd object

* use a profile for the sbom maven module

* make hasOssToken boolean

* put OSSINDEX credentials in env
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
status: invalid An issue that we don't feel is valid
Projects
None yet
Development

No branches or pull requests