Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Snakeyaml vulnerability in OpenSearch 2.2.1 #5614

Closed
martin-gaievski opened this issue Dec 21, 2022 · 2 comments
Closed

Snakeyaml vulnerability in OpenSearch 2.2.1 #5614

martin-gaievski opened this issue Dec 21, 2022 · 2 comments
Labels
bug Something isn't working untriaged

Comments

@martin-gaievski
Copy link
Member

Opensearch 2.2.1 has a dependency on vulnerable Snakeyaml version 1.26.

Dependency Hierarchy:

-> opensearch-2.2.1-SNAPSHOT.jar (Root Library)

-> opensearch-x-content-2.2.1-SNAPSHOT.jar

 -> ❌ snakeyaml-1.26.jar (Vulnerable Library)

Please check details of the WhiteSource scan here

This is a CI blocker in case changes are required in plugin bundled with core 2.2.x.
@martin-gaievski martin-gaievski added bug Something isn't working untriaged labels Dec 21, 2022
@martin-gaievski martin-gaievski mentioned this issue Dec 21, 2022
Merged
@mingshl mingshl mentioned this issue Dec 21, 2022
Closed
@tlfeng
Copy link
Collaborator

tlfeng commented Dec 27, 2022
edited
Loading

I think OpenSearch core is not affected by the CVE-2022-1471.

Although snakeyaml library exists in the build artifact of OpenSearch, it's not directly used by OpenSearch.
SnakeYAML library is a dependency for jackson-dataformat-yaml in opensearch-x-content library.
I checked the code repository of jackson-dataformat-yaml, snakeyaml is used for low-level YAML parsing, see here for the code, and the vulnerable SnakeYaml's Constructor() class doesn't occur in the code base.

Seeing from the CVE description, the mitigation is to use alternative API, instead of upgrading the version. While to mute the alert from security scanners, the version of snakeyaml that declared in OpenSearch core has been bumped to 1.32 on Sept.19, 2022 and Sept.28 in all maintained branches.

In addition, Security Analytics plugin may be affected by the vulnerability, which is not part of this code repository, and the fix will go in 2.5.0 release on Jan 17, 2023, see the PR #5576 for detail.

I will close the issue, please free to reopen if you have further questions.

@tlfeng tlfeng closed this as completed Dec 27, 2022
@mingshl mingshl mentioned this issue Jan 24, 2023
Closed
@tlfeng
Copy link
Collaborator

tlfeng commented Apr 4, 2023
edited
Loading

Update on April 2023:
There are 2 locations OpenSearch use snakeyaml:

  1. Transitive dependency for jackson-dataformat-yaml library
    As confirmed from the active contributors of jackson-dataformats-text in the related issues (https://github.com/FasterXML/jackson-dataformats-text/issues?q=is%3Aissue+snakeyaml+cve), jackson-dataformats library is not affected by CVE-2022-1471.
    The version of snakeyaml library will be upgraded in the next version release of jackson-dataformats-text .
  2. In class ExtensionManager
    snakeyaml usage is introduced in the commit c2307fb in January 2023, in OpenSearch 2.5.0. The usage is likely been affected by the CVE, but "Extensions" feature is under development and not open to the public.
    While in OpenSearch 2.6.0, the venerability has been remediated by the commit a5dc22a.
    The version of snakeyaml has been upgraded to 2.0 in the commit 8bda365, which will be released in OpenSearch 2.7.0 and 3.0. snakeyaml version 2.0 is not affected by the CVE.

@tlfeng tlfeng mentioned this issue Apr 4, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working untriaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tlfeng @martin-gaievski