[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2023-46302: Apache Submarine: Fix CVE-2022-1471 SnakeYaml unsafe deserialization
From:       Xiang Chen <cdmikechen () apache ! org>
Date:       2023-11-19 7:59:35
Message-ID: 9d46de17-2d89-2795-3096-6e2e46687e9a () apache ! org
[Download RAW message or body]

Severity: critical

Affected versions:

- Apache Submarine 0.7.0 before 0.8.0

Description:

Apache Software Foundation Apache Submarine has a bug when serializing against yaml. The bug is \
caused by snakeyaml  https://nvd.nist.gov/vuln/detail/CVE-2022-1471 .

Apache Submarine uses JAXRS to define REST endpoints.  In order to
handle YAML requests (using application/yaml content-type), it defines
a YamlEntityProvider entity provider that will process all incoming
YAML requests.  In order to unmarshal the request, the readFrom method
is invoked, passing the entityStream containing the user-supplied data in \
`submarine-server/server-core/src/main/java/org/apache/submarine/server/utils/YamlUtils.java`.  \
 We have now fixed this issue in the new version by replacing to `jackson-dataformat-yaml`.
This issue affects Apache Submarine: from 0.7.0 before 0.8.0.  Users are recommended to upgrade \
to version 0.8.0, which fixes this issue. If using the version smaller than 0.8.0  and not want \
to upgrade, you can try cherry-pick PR  https://github.com/apache/submarine/pull/1054  and \
rebuild the submart-server image to fix this.

This issue is being tracked as SUBMARINE-1371 

Credit:

GHSL team member @jorgectf (Jorge Rosillo) (reporter)

References:

https://issues.apache.org/jira/browse/SUBMARINE-1371
https://github.com/apache/submarine/pull/1054
https://submarine.apache.org/
https://www.cve.org/CVERecord?id=CVE-2023-46302
https://issues.apache.org/jira/browse/SUBMARINE-1371


[prev in list] [next in list] [prev in thread] [next in thread]