-
Notifications
You must be signed in to change notification settings - Fork 3.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Snakeyaml 1.33 to be updated to 2.0 #15088
Comments
Currently working on the fix for this - waiting to be assigned to the issue by someone with the relevant permissions |
Resolved with #15125 |
Amazing news! @mashhurs Do you know if this went out with 8.8.2 or if it is planned for 8.8.3+ |
@JonahLuckett CVE-2022-1471 is still present in 8.8.2 |
Edit: 8.10 version (hopefully release soon) will be less affected version includes this change. |
@mashhurs The release notes for 8.9.0 says snakeyaml has been updated to 2.0. However when I scan with Trivy it doesn't seem to be the case? |
Sorry for confusion, updated the release note (#15221), web page update will be reflected soon. |
@mashhurs is there any update on when this will be released? I see there is already an 8.10.2 version, but doesn't seem to include this yet. Thanks! |
@mseiler90 Logstash core updated |
Here are two screehsots showing the vulnerability along with some others and a screenshot of the labels to show that it is 8.10.2. This is from Prisma Compute (Twistlock). We also see it in Azure Defender. |
@mashhurs any thoughts on this? I do see in the build.gradle that 2.0 is explicitly set, but the image scanning tools still seem to think otherwise for me. Do happen to have any insight into the other vulnerabilities being addressed as well? Thanks for your help. |
After further investigation, it seems it is due to the logstash-filter-useragent-3.3.4.jar which I see a PR on this repo addressed logstash-plugins/logstash-filter-useragent#89 and I'm assuming Logstash 8.10.3 will include this updated jar? |
Yes, |
Unfortunately that tool isn't showing the the actual jar that the vulnerabilities are in. Our company proxies images through JFrog Artifactory, and using that I reviewed the Xray scan and found the snakeyaml vulnerability in the useragent jar. The other vulnerabilities appear to be in the main jar as the paths are not indicating any other jar like the snakeyaml vulnerability. |
@mashhurs I've updated to 8.11.1 and I can see that snakeyaml 1.33 is still present in logstash/logstash-core/lib/jars/snakeyaml-1.33.jar |
Description
The release of
SnakeYAML 2.0
resolves CVE-2022-1471 - currently Logstash is usingSnakeYAML 1.33
Currently a clean bump to 2.0 results in the following error taken from this comment:
Concerns raised that will be covered by the fix to this work:
Relevant documentation
The text was updated successfully, but these errors were encountered: