Incorrect vulnerability details - SnakeYAML CVE-2022-38752 (affected versions) #328
Comments
|
Hi @albertwangnz since you've closed the issue has this actually been fixed in the OSSindex data? |
|
IMHO it is not |
It is not. Sorry, I just reopened. |
|
Unfortunately sonatype don't seem to actually be looking at these community reports despite the requests to report here. Not sure what is up with that. |
|
Sorry for the delay. We are working hard at getting some new data visible for OSS Index users. Specifically in this case Sonatype researchers determined that the issue was not completely resolved (in our opinion). Internally this is recorded as a "deviation notice". OSS Index does not currently report these deviations, but we are working on making them available soon (ish). Here is the official text for this vulnerability:
Almost all of the issues reported here are due to deviations like this one, but it is taking some time to get the new code out. |
Hi @ken-duck , I really appreciate your feedback. This really helps us to make a decision about how to process the issue. And I understand it takes time to expose the "deviation notice" information in an appropriate way. But is that possible if you could also help to share the deviation notice information with the issues #316 and #331. Without a piece of further information, we don't know how can we process those two issues. Thank you. Regards, |
|
I will try and dig out the notices for those ones today. I’ll add them to the raised issues themselves.
Ken
… On Oct 20, 2022, at 6:26 PM, Albert Wang ***@***.***> wrote:
Sorry for the delay. We are working hard at getting some new data visible for OSS Index users.
Specifically in this case Sonatype researchers determined that the issue was not completely resolved (in our opinion). Internally this is recorded as a "deviation notice". OSS Index does not currently report these deviations, but we are working on making them available soon (ish).
Here is the official text for this vulnerability:
The snakeyaml package is vulnerable to a Denial of Service (DoS) attack. The fillRecursive() method in the BaseConstructor class fails to limit the depth of recursion when parsing YAML data that contains recursive keys. A remote attacker who can supply YAML to be consumed by the application can exploit this vulnerability to cause the Java process to consume large amounts of available resources, potentially resulting in a DoS condition due to a StackOverflowError.
Advisory Deviation Notice: The Sonatype security research team discovered that this vulnerability was not fully addressed in version 1.32 as stated in the advisory, as this issue still affects users who enable allowRecursiveKeys.
Almost all of the issues reported here are due to deviations like this one, but it is taking some time to get the new code out.
Hi @ken-duck <https://github.com/ken-duck> , I really appreciate your feedback. This really helps us to make a decision about how to process the issue. And I understand it takes time to expose the "deviation notice" information in an appropriate way.
But is that possible if you could also help to share the deviation notice information with the issues #316 <#316> and #331 <#331>. Without a piece of further information, we don't know how can we process those two issues.
Thank you.
Regards,
Albert
—
Reply to this email directly, view it on GitHub <#328 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AHHSFLOF775E7DU426A7EK3WEG2IXANCNFSM6AAAAAAQYFETC4>.
You are receiving this because you were mentioned.
|
|
Hi Albert. I am emailing you the details until the coding is done to make all this data public…
For sonatype-2017-0348:
Apache Xerces-J is vulnerable to a Denial of Service (DoS) attack. The `setupCurrentEntity()` method in the `XMLEntityManager` class lacks a connection timeout mechanism. A remote attacker can exploit this vulnerability by supplying an XML document containing a URL to their malicious FTP server. This URL is then retrieved and stored in the `expandedSystemId` object, and used to instantiate a `URLConnection`. Once the server begins fetching the resource, the attacker's server would then exit abruptly, leaving the connection in a `CLOSE_WAIT` status. The attacker would need to issue one request per thread, eventually leading to a DoS as the application repeatedly attempts to fetch the FTP resource.
NOTE: This vulnerability was assigned CVE-2017-10355.
…
Incidentally, this vulnerability can be mitigated by upgrading your Java JDK to 6u171 or above (for 6.x), 7u161 or above (for 7.x), 8u151 or above (for 8.x), or 9.0.1 or above (for 9.x).
For sonatype-2022-2249:
The `styled-components` package has an Unintended Behavior. The `postinstall.js` file looks for users using a `ru` time-zone to show a political protest message using the `console.warn()` function. Also, the absence of this file in the 5.3.4 version causes a crash when the package is installed.
I hope these details help.
Ken
… On Oct 20, 2022, at 6:26 PM, Albert Wang ***@***.***> wrote:
Sorry for the delay. We are working hard at getting some new data visible for OSS Index users.
Specifically in this case Sonatype researchers determined that the issue was not completely resolved (in our opinion). Internally this is recorded as a "deviation notice". OSS Index does not currently report these deviations, but we are working on making them available soon (ish).
Here is the official text for this vulnerability:
The snakeyaml package is vulnerable to a Denial of Service (DoS) attack. The fillRecursive() method in the BaseConstructor class fails to limit the depth of recursion when parsing YAML data that contains recursive keys. A remote attacker who can supply YAML to be consumed by the application can exploit this vulnerability to cause the Java process to consume large amounts of available resources, potentially resulting in a DoS condition due to a StackOverflowError.
Advisory Deviation Notice: The Sonatype security research team discovered that this vulnerability was not fully addressed in version 1.32 as stated in the advisory, as this issue still affects users who enable allowRecursiveKeys.
Almost all of the issues reported here are due to deviations like this one, but it is taking some time to get the new code out.
Hi @ken-duck <https://github.com/ken-duck> , I really appreciate your feedback. This really helps us to make a decision about how to process the issue. And I understand it takes time to expose the "deviation notice" information in an appropriate way.
But is that possible if you could also help to share the deviation notice information with the issues #316 <#316> and #331 <#331>. Without a piece of further information, we don't know how can we process those two issues.
Thank you.
Regards,
Albert
—
Reply to this email directly, view it on GitHub <#328 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AHHSFLOF775E7DU426A7EK3WEG2IXANCNFSM6AAAAAAQYFETC4>.
You are receiving this because you were mentioned.
|
Thanks a lot for your so kind help, @ken-duck ! Regards, |
|
@ken-duck I don't understand how the details you reported above are related to the issue here. Furthermore, I suggest you further analyze what @chadlwilson posted at jeremylong/DependencyCheck#4919 (comment). If you (i.e. Sonatype) stick to the earlier assessment that
then I'm afraid this won't ever be resolved. If you enable |
|
Seems they have re-assessed this as both https://ossindex.sonatype.org/component/pkg:maven/org.yaml/snakeyaml
|
Thank you, @chadlwilson . I just noticed this message. Will close this issue. |
Vulnerability URL
https://ossindex.sonatype.org/vulnerability/CVE-2022-38752?component-type=maven&component-name=org.yaml/snakeyaml
Component URL
https://ossindex.sonatype.org/component/pkg:maven/org.yaml/snakeyaml
Description
According to both the developers and NVD, this CVE was fixed in SnakeYAML 1.32, but is still being reported against it by OSSINDEX.
https://bitbucket.org/snakeyaml/snakeyaml/issues/531/stackoverflow-oss-fuzz-47081
jeremylong/DependencyCheck#4839
https://nvd.nist.gov/vuln/detail/CVE-2022-38752
The text was updated successfully, but these errors were encountered: