Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

update snakeyaml to 1.26+ to address security vulnerability CVE-2017-18640 #3223

Closed
brentryan opened this issue Apr 1, 2020 · 3 comments
Closed

update snakeyaml to 1.26+ to address security vulnerability CVE-2017-18640 #3223

brentryan opened this issue Apr 1, 2020 · 3 comments
Labels
security
Milestone
2.0.6

Comments

@brentryan
Copy link
Contributor

DESCRIPTION FROM CVE
The Alias feature in SnakeYAML 1.18 allows entity expansion during a load operation, a related issue to CVE-2003-1564.

EXPLANATION
The snakeyaml package is vulnerable to YAML Entity Expansion. The load method in Yaml.class allows for entities to reference other entities. An attacker could potentially exploit this behavior by providing a YAML document with many entities that reference each other, which could take a large amount of memory to process, potentially resulting in a Denial of Service (DoS) situation.

DETECTION
The application is vulnerable by using this component with untrusted user input when the maxAliasesForCollections is set too high or settings.setAllowRecursiveKeys is set to false.

RECOMMENDATION
We recommend upgrading to a version of this component that is not vulnerable to this specific issue.

Note: If this component is included as a bundled/transitive dependency of another component, there may not be an upgrade path. In this instance, we recommend contacting the maintainers who included the vulnerable package. Alternatively, we recommend investigating alternative components or a potential mitigating control.

ROOT CAUSE
snakeyaml-1.24-android.jarorg/yaml/snakeyaml/constructor/BaseConstructor.class( , 1.26)
ADVISORIES
Project:https://bitbucket.org/asomov/snakeyaml/issues/377/allow-configuration-for-preventing-billion
CVSS DETAILS
CVE CVSS 3:7.5
CVSS Vector:CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
@joschi
Copy link
Member

joschi commented Apr 2, 2020

Refs FasterXML/jackson-dataformats-text@3e481c6

@joschi joschi added the security label Apr 2, 2020
@joschi joschi mentioned this issue Apr 2, 2020
Closed
@joschi
Copy link
Member

joschi commented Apr 2, 2020

@brentryan Thanks for reporting this issue!

We're in contact with the Jackson team to update the SnakeYAML dependency in their module.

joschi added a commit that referenced this issue Apr 4, 2020
@joschi
Upgrade to SnakeYAML to address CVE-2017-18640
4138c94 
SnakeYAML < 1.26 is vulnerable to a Billion Laughs attack (denial of service).

* https://nvd.nist.gov/vuln/detail/CVE-2017-18640
* https://bitbucket.org/asomov/snakeyaml/issues/377

Refs FasterXML/jackson-dataformats-text#187
Refs #3223
@joschi joschi mentioned this issue Apr 4, 2020
Merged
@joschi joschi added this to the 2.0.6 milestone Apr 4, 2020
joschi added a commit that referenced this issue Apr 4, 2020
@joschi
Upgrade to SnakeYAML to address CVE-2017-18640
919f429 
SnakeYAML < 1.26 is vulnerable to a Billion Laughs attack (denial of service).

* https://nvd.nist.gov/vuln/detail/CVE-2017-18640
* https://bitbucket.org/asomov/snakeyaml/issues/377

Refs FasterXML/jackson-dataformats-text#187
Refs #3223
@joschi joschi mentioned this issue Apr 4, 2020
Merged
joschi added a commit that referenced this issue Apr 4, 2020
@joschi
Upgrade to SnakeYAML to address CVE-2017-18640 (#3228)
9587649 
SnakeYAML < 1.26 is vulnerable to a Billion Laughs attack (denial of service).

* https://nvd.nist.gov/vuln/detail/CVE-2017-18640
* https://bitbucket.org/asomov/snakeyaml/issues/377

Refs FasterXML/jackson-dataformats-text#187
Refs #3223
@joschi
Copy link
Member

joschi commented Apr 4, 2020

Addressed in #3227 and #3228.

@joschi joschi closed this as completed Apr 4, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
security
Projects
None yet
Milestone
2.0.6
Development

No branches or pull requests
2 participants
@joschi @brentryan