CVE-2022-1471 (snakeyaml) CVSS 9.8 (critical) is affecting SBOM's containing jruby #7935
Comments
|
If we got asciidoctorj to release a new version that uses JRuby 9.4.3.0, which uses SnakeYAML-Engine that does not have these CVEs... would you be able to upgrade asciidoctorj? We're kinda stuck between a rock and a hard place here. Forcing an upgrade of SnakeYAML on JRuby 9.3.x users means they will suddenly be using a YAML 1.2 engine, and noncompliant YAML will be rejected. We'll definitely get bug reports about it. On the other hand, JRuby 9.4.3+ already use the newer SnakeYAML with no CVEs, so there's an upgrade path. |
|
FYI the train has left the station for JRuby 9.3.11 at this point. Any change would have to be in 9.3.12. As detailed in #7600 (#7600 (comment)) these are the options I saw:
After some thinking I came up with one more option. It's not great but it would solve all problems.
Of these options we still prefer to do nothing, but I understand that is a nonstarter for situations like yours where you need asciidoctorj and it depends on a version of JRuby that uses the older SnakeYAML. |
JRuby 9.4.3.0 includes an udpated Psych YAML library, which uses SnakeYAML-Engine and avoids several CVEs against the original SnakeYAML. By updating here, downstream users of asciidoctorj will not run into security audit issues. See related issues and PRs: * jruby/jruby#7570 * jruby/jruby#7600 * jruby/jruby#7626 * jruby/jruby#7935
|
I've opened asciidoctor/asciidoctorj#1234 to try to make progress on the asciidoctorj side. |
|
Thank you for the update. I am bit confused, the latest version of asciidoctorj (2.5.10) still pulls in a version of jruby prior to 9.4.3, (it pulls 9.4.2.0) so are you saying that even the latest version of asciidoctorj is still susceptible to the snakeyaml vulnerability? I appreciate the efforts, but this combination of asciidoctorj -> jruby -> snakeyaml is going to be the end of me. :-) (have to have a sense of humor). But if you can work with the asciidoctorj team to coordinate an upgrade of both products, that would be awesome. |
|
@derekhillhp Aha, you know what, you are right! I was surprised 9.4.1.0 happened after the big psych update, but it did, and 9.4.1.0 does NOT use the SnakeYAML that has CVEs. Is that something you can't upgrade? I am confused about this issue if you know that latest asciidoctorj uses a fixed version of JRuby. |
|
We need to do some more checking, but our tool is no longer showing snakeyaml as a dependency to jruby. Can you elaborate a bit more on snakeyaml-engine. |
|
@derekhillhp I think @asomov could describe things better but SnakeYAML-Engine replaces SnakeYAML and updates YAML support to 1.2. It includes none of the Java marshaling/deserialization features that triggered CVE concerns in the original SnakeYAML. https://bitbucket.org/snakeyaml/snakeyaml-engine/src/master/ It evolved out of the original but many APIs have been updated or removed. We had very little trouble switching, and will be using SnakeYAML-Engine for all JRuby Psych (YAML API for Ruby) releases going forward. JRuby started using SnakeYAML-Engine via Psych 5.1.0 in JRuby 9.4.1.0 early this year.
We have at this time decided NOT to upgrade Psych (and therefore not upgrade SnakeYAML to SnakeYAML-Engine) in the JRuby 9.3 line because it would introduce the breaking change of forcing YAML 1.2 compliance on existing users. I initially thought that's what you were asking for, since we made this decision within the past few days (#7600). |
|
@headius -- just to clarify for my sanities sake, the switch from snakeyaml -> snakeyaml-engine happened in jruby 9.4.1.0 and asciidoctorj picked up jruby 9.4.2.0 when they updated to 2.5.10, therefore eliminating the snakeyaml (non engine) version and all associated CVE's that were related to the deserialization portion of snakeyaml. If that is indeed the case, then thank you for the previous work, I suppose we can go an close the issue then. |
|
@derekhillhp The upgrade to SnakeYAML-Engine happened in JRuby 9.4.1.0, and up until my PR above that was the version that asciidoctorj was using on master. I am not certain about the release cadence of asciidoctorj, but since that change happened in February/March, I'm fairly sure that any asciidoctorj since then has used JRuby 9.4.1.0 and are therefore not beholden to the CVE problems of SnakeYAML (non-Engine).
The rest of this is correct. The PR I made today upgrades asciidoctorj to 9.4.3.0, which doesn't change anything about the SnakeYAML story, but it was merged and so future asciidoctorj releases will use at least 9.4.3.0. It's probably worth asking yourself in the asciidoctorj issue tracker or discussions for clarification as to what releases contain which versions of JRuby. Thanks for working through this with me! |
|
@derekhillhp I would like to confirm what @headius said above about SnakeYAML Engine |
JRuby 9.4.3.0 includes an udpated Psych YAML library, which uses SnakeYAML-Engine and avoids several CVEs against the original SnakeYAML. By updating here, downstream users of asciidoctorj will not run into security audit issues. See related issues and PRs: * jruby/jruby#7570 * jruby/jruby#7600 * jruby/jruby#7626 * jruby/jruby#7935
Our software calls asciidoctorj as a dependent library, which in turn calls jruby, which relies on snakeyaml
snakeyaml < 2.0 currently has a critical CVE, CVE-2022-1471 -- https://nvd.nist.gov/vuln/detail/CVE-2022-1471
jruby pulls in a version prior to 2.0
Please update jruby to pull in snakeyaml 2.0 or greater.
I am very well aware of this previous comment: #7570 (comment)
However, this critical vulnerability is coming up in SBOM reports from pretty much all SCA/OSA vendors and is blocking deployments using the vulnerable version of snakeyaml.
edit: fixed typo
The text was updated successfully, but these errors were encountered: