-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Snakeyaml vulnerability in OpenSearch - autoclosed #5576
Comments
Thank you @akhil-lm for reporting this issue and tagging the relevant artifacts. I am looking into artifacts attached (also listed below) to learn more about the vulnerability and how it can be exploited in OpenSearch. Also, I see CVE-2022-1471[3], security report[2] & repository [4] does not report any vulnerability in 1.32 (Opensearch version in main, 2.x and 1.x). [1] https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64581479 |
Hi @dreamer-89, The latest Opensearch library available is v2.4.1. Would the change in the above PR be a part of the next version v2.4.2? If yes, then could you please let me know when can we expect the new version? Thanks so much. |
Hi @dreamer-89, In our application, we're getting the snakeyaml artifact through the 'opensearch-x-content' artifact. Additionally, we also use the 'opensearch' and the 'opensearch-rest-high-level-client' artifacts in our application. Hence, we're interested to know whether these artifacts are affected or not due to the reported snakeyaml vulnerability. Request your inputs on the same. |
Thanks @akhil-lm for checking on this. Based on release schedule, the fix should go in
Inside OpenSearch, no code path was identified that can be exploited for the |
@akhil-lm: The fix in |
@dreamer-89 I don't find an option to reopen the issue. But, opensearch-3.0.0-SNAPSHOT.jar is still under security vulnerability due to snakeyaml-1.32.jar. More details are available in the below issue |
I'll reopen it. |
FYI, the Whitesource [1] caches that, along with
[1] https://github.com/opensearch-project/OpenSearch/pull/5666/checks?check_run_id=10881469266 |
I believe all usages of SnakeYaml in OpenSearch are now using |
✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory. |
We use opensearch-x-content:2.0.0 and org.opensearch.client:opensearch-rest-high-level-client:2.0.0 jars in our application, which uses a vulnerable artifact snakeyaml. Even the most recent snakeyaml version v1.33 has a high vulnerability that can lead to remote code execution :- https://nvd.nist.gov/vuln/detail/CVE-2022-1471
Snakeyaml hasn't offered an updated safe version so far. Since we use Opensearch, snakeyaml library is transitively added as well.
Spring boot came up with their analysis on why their use-case of snakeyaml is not vulnerable, even though they use it :- spring-projects/spring-boot#33457
Is there a plan by Opensearch to address this challenge/vulnerability that comes with using Snakeyaml? Please let me know if there's any update.
The text was updated successfully, but these errors were encountered: