HeroDevs
Visit NES for SnakeYAML Home Page

CVE-2022-1471 Resolution

Information on the resolution of CVE-2022-1471 in NES for SnakeYAML

Overview

SnakeYAML is a popular Java library for parsing and emitting YAML. CVE-2022-1471 describes a remote code execution vulnerability in some versions of SnakeYAML.

Given an Java class named Person like this:

public class Person {
    private String firstName;
    private String lastName;

    public Person() {
    }

    // getters and setters
}

A YAML document can represent a Person with content such as the following:

!!Person
  firstName: "John"
  lastName: "Doe"

The !!Person heading is called a global tag, and it gives the YAML parser information about the type of data that is represented in the YAML document.

SnakeYAML Version 1.33 and Earlier

With SnakeYAML version 1.33 and earlier, a YAML document like this can be loaded and parsed with code like the following:

    Yaml yaml = new Yaml();
    Object data = yaml.load(document);

When the document is loaded, SnakeYAML will instantiate a new object of type Person and populate it with the fields from the document. The security issue arises from the fact that a class mentioned in a global tag can be any class in the JVM. Using a global tag to cause SnakeYAML to instantiate system classes could allow code to access or change sensitive information on the system.

SnakeYAML Version 2.0 and Later

With SnakeYAML 2.0 and later, global tags are disabled by default. Attempting to load a YAML document that contains global tags as shown in the example above will cause a runtime error. SnakeYAML 2.0 is “secure by default”. The SnakeYAML API can be explicitly configured to allow global tags to be processed, and applications can opt in to allowing specific types of objects to be instantiated and populated.

Trusted and Untrusted Input

When talking about security, input to an application can be considered trusted or untrusted.

Untrusted input is provided by users or another source external to a system. Input could be provided by HTTP requests, a web UI form, or messaging systems.

Trusted input is controlled by the system itself and cannot be manipulated by external sources. This often takes the form of system configuration files or customization information.

It is somewhat unusual for an application to accept untrusted YAML content as input from an external source. In many cases, the YAML content processed by SnakeYAML is trusted application configuration, and therefore does not constitute a vulnerability in the system.

SnakeYAML with Spring Boot

Spring Boot applications can be configured using YAML files, typically named application.yml. Spring Boot uses the recommended safe construction API when creating YAML parsers using SnakeYAML, so global tags will not be processed when processing application configuration files.

Spring Boot configuration YAML files are considered trusted input, as they are stored in locations that are only accessible by the system at startup, and can not be provided or manipulated by end users.

For these reasons, Spring Boot itself is not vulnerable to this CVE.

If an application is not using SnakeYAML itself, but SnakeYAML is only on the classpath because Spring Boot uses it internally, then the application is not vulnerable to this CVE.

Remediation

CVE-2022-1471 can be remediated by using a version of SnakeYAML that does not allow global tags to be processed by default. Unless your application directly uses the SnakeYAML API to process YAML input, upgrading SnakeYAML should be transparent to the application.

There are two options when upgrading SnakeYAML:

  • Open-source SnakeYAML 2.0 or greater
    Version 2.0 has changes that are backward-incompatible with version 1.33 and earlier, such as the removal of previously deprecated methods. If your application is not using the SnakeYAML API directly, it is likely that SnakeYAML can be upgraded to 2.0 or greater without affecting your application. If your application is using the SnakeYAML API directly, your code might have to adapt to these changes.
  • HeroDevs NES for SnakeYAML 1.34
    The HeroDevs NES version of SnakeYAML is identical to open-source version 1.33 except for the changes that disallows global tags by default. There are no API changes in the NES version.

Upgrading SnakeYAML in a Spring Boot application

Spring Boot versions 2.7 through 3.1, as well as HeroDevs NES for Spring Boot 2.7, use SnakeYAML 1.33 by default but are compatible with SnakeYAML 2.0. Spring Boot versions 3.2 and later use SnakeYAML 2.x by default.

To use NES for SnakeYAML, follow the NES Getting Started instructions.

Follow the instructions in the Spring Boot Maven plugin or Spring Boot Gradle plugin documentation to set a property in the Maven build file to specify the SnakeYAML version to use.

Maven

<properties>
    <snakeyaml.version>1.33.0-snakeyaml-1.34.0</snakeyaml.version>
</properties>

Gradle

ext['snakeyaml.version'] = '1.33.0-snakeyaml-1.34.0'
Release Notes
Complete Changelog for NES for SnakeYAML
Previous Article
Published Maven Packages
Available versions of NES Maven artifacts
Next Article