Snakeyaml 1.33 to be updated to 2.0

[JonahLuckett]

Description

The release of SnakeYAML 2.0 resolves CVE-2022-1471 - currently Logstash is using SnakeYAML 1.33

Currently a clean bump to 2.0 results in the following error taken from this comment:

> Task :installBundler
uri:classloader:/META-INF/jruby.home/lib/ruby/stdlib/rubygems.rb:632: warning: The Psych YAML extension failed to load.
Check your env for conflicting versions of SnakeYAML
See https://github.com/jruby/jruby/wiki/FAQs#why-does-the-psych-yaml-extension-fail-to-load-in-my-environment

> Task :installBundler FAILED

FAILURE: Build failed with an exception.

* Where:
Script '/home/andrea/workspace/logstash_andsel/rubyUtils.gradle' line: 101

* What went wrong:
Execution failed for task ':installBundler'.
> (LoadError) bad SnakeYAML version 2.0, required 1.21 or higher; check your CLASSPATH for a conflicting jar

* Try:
> Run with --stacktrace option to get the stack trace.
> Run with --info or --debug option to get more log output.
> Run with --scan to get full insights.

* Get more help at https://help.gradle.org

BUILD FAILED in 39s
49 actionable tasks: 35 executed, 14 up-to-date

Concerns raised that will be covered by the fix to this work:

• SafeConstructor ignores LoaderOptions setCodePointLimit() changelog: when we upgraded to 1.33 we set code point limit and now it ignores in 2.0. We have to make sure our sources are CVE free.
• CustomClassLoaderConstructor takes LoaderOptions: when creating Yaml interface, we have some places utilize CustomClassLoaderConstructor and now it requires LoaderOptions.

Relevant documentation

• https://github.com/elastic/logstash/pull/14948 - current PR
• https://nvd.nist.gov/vuln/detail/CVE-2022-1471

[JonahLuckett]

Currently working on the fix for this - waiting to be assigned to the issue by someone with the relevant permissions

[deepakLabs]

@mashhurs @jsvd

[mashhurs]

Resolved with https://github.com/elastic/logstash/pull/15125

[JonahLuckett]

Amazing news! @mashhurs Do you know if this went out with 8.8.2 or if it is planned for 8.8.3+

[aumayr]

@JonahLuckett CVE-2022-1471 is still present in 8.8.2

[mashhurs]

Edit: 8.10 version (hopefully release soon) will be less affected version includes this change.

[sonloi]

@mashhurs The release notes for 8.9.0 says snakeyaml has been updated to 2.0. However when I scan with Trivy it doesn't seem to be the case?

[mashhurs]

@mashhurs The release notes for 8.9.0 says snakeyaml has been updated to 2.0. However when I scan with Trivy it doesn't seem to be the case?

Sorry for confusion, updated the release note (https://github.com/elastic/logstash/pull/15221), web page update will be reflected soon.

[mseiler90]

@mashhurs is there any update on when this will be released? I see there is already an 8.10.2 version, but doesn't seem to include this yet. Thanks!

[mashhurs]

@mashhurs is there any update on when this will be released? I see there is already an 8.10.2 version, but doesn't seem to include this yet. Thanks!

@mseiler90 Logstash core updated snakeyaml in 8.10.x versions. Can you show me the output of your scanner or the way you figure out that snakeyaml didn't get updated.

[mseiler90]

@mashhurs is there any update on when this will be released? I see there is already an 8.10.2 version, but doesn't seem to include this yet. Thanks!

@mseiler90 Logstash core updated snakeyaml in 8.10.x versions. Can you show me the output of your scanner or the way you figure out that snakeyaml didn't get updated.

Here are two screehsots showing the vulnerability along with some others and a screenshot of the labels to show that it is 8.10.2. This is from Prisma Compute (Twistlock). We also see it in Azure Defender.

[mseiler90]

@mashhurs any thoughts on this? I do see in the build.gradle that 2.0 is explicitly set, but the image scanning tools still seem to think otherwise for me. Do happen to have any insight into the other vulnerabilities being addressed as well? Thanks for your help.

[mseiler90]

After further investigation, it seems it is due to the logstash-filter-useragent-3.3.4.jar which I see a PR on this repo addressed https://github.com/logstash-plugins/logstash-filter-useragent/pull/89 and I'm assuming Logstash 8.10.3 will include this updated jar?

[mashhurs]

After further investigation, it seems it is due to the logstash-filter-useragent-3.3.4.jar which I see a PR on this repo addressed logstash-plugins/logstash-filter-useragent#89 and I'm assuming Logstash 8.10.3 will include this updated jar?

Yes, filter-useragent changes will reflect in 8.10.3. The screenshot you showed in your previous comment shows the JARs but doesn't shows the full path. Can you let me know where those JARs located? I am also assuming it is in useragent plugin JAR but not 100% sure.

[mseiler90]

Unfortunately that tool isn't showing the the actual jar that the vulnerabilities are in. Our company proxies images through JFrog Artifactory, and using that I reviewed the Xray scan and found the snakeyaml vulnerability in the useragent jar. The other vulnerabilities appear to be in the main jar as the paths are not indicating any other jar like the snakeyaml vulnerability.

[sonloi]

@mashhurs I've updated to 8.11.1 and I can see that snakeyaml 1.33 is still present in logstash/logstash-core/lib/jars/snakeyaml-1.33.jar