search

sofastack / sofa-jraft

A production-grade java implementation of RAFT consensus algorithm.
https://www.sofastack.tech/projects/sofa-jraft/
Apache License 2.0
3.57k stars 1.14k forks source link

Dependency org.yaml:snakeyaml, leading to CVE problem #960

Closed CVEDetect closed 1 year ago

CVEDetect commented 1 year ago

Hi, In /jraft-example,there is a dependency org.yaml:snakeyaml:1.27 that calls the risk method.

CVE-2022-25857

The scope of this CVE affected version is [0,1.31)

After further analysis, in this project, the main Api called is org.yaml.snakeyaml.composer.Composer: composeNode(org.yaml.snakeyaml.nodes.Node)Lorg.yaml.snakeyaml.nodes.Node;

Risk method repair link : GitHub

CVE Bug Invocation Path--

Path Length : 5

CVE Bug Invocation Path : 
com.alipay.sofa.jraft.example.rheakv.MultiGetExample: multiGet(com.alipay.sofa.jraft.rhea.client.RheaKVStore)V /download/apache-maven-3.6.3/repository_mount/org/ow2/asm/asm/6.0/asm-6.0.jar
org.yaml.snakeyaml.Yaml$2: next()Ljava.lang.Object; /download/apache-maven-3.6.3/repository_mount/com/fasterxml/jackson/core/jackson-annotations/2.12.6/jackson-annotations-2.12.6.jar
org.yaml.snakeyaml.Yaml$2: next()Lorg.yaml.snakeyaml.nodes.Node; /download/apache-maven-3.6.3/repository_mount/com/fasterxml/jackson/core/jackson-annotations/2.12.6/jackson-annotations-2.12.6.jar
org.yaml.snakeyaml.composer.Composer: getNode()Lorg.yaml.snakeyaml.nodes.Node; /download/apache-maven-3.6.3/repository_mount/com/fasterxml/jackson/core/jackson-annotations/2.12.6/jackson-annotations-2.12.6.jar
org.yaml.snakeyaml.composer.Composer: composeNode(org.yaml.snakeyaml.nodes.Node)Lorg.yaml.snakeyaml.nodes.Node;

Dependency tree--

[INFO] com.alipay.sofa:jraft-example:jar:1.3.12
[INFO] +- com.alipay.sofa:jraft-core:jar:1.3.12:compile
[INFO] |  +- org.ow2.asm:asm:jar:6.0:compile
[INFO] |  +- com.google.code.findbugs:jsr305:jar:3.0.2:compile
[INFO] |  +- org.rocksdb:rocksdbjni:jar:7.7.3:compile
[INFO] |  +- net.java.dev.jna:jna:jar:5.5.0:compile
[INFO] |  +- org.jctools:jctools-core:jar:2.1.1:compile
[INFO] |  +- org.slf4j:slf4j-api:jar:1.7.21:compile
[INFO] |  +- com.lmax:disruptor:jar:3.3.7:compile
[INFO] |  +- com.google.protobuf:protobuf-java:jar:3.5.1:compile
[INFO] |  +- commons-io:commons-io:jar:2.8.0:compile
[INFO] |  +- commons-lang:commons-lang:jar:2.6:compile
[INFO] |  +- com.alipay.sofa:bolt:jar:1.6.4:compile
[INFO] |  |  +- io.netty:netty-all:jar:4.1.42.Final:compile
[INFO] |  |  \- com.alipay.sofa.common:sofa-common-tools:jar:1.0.12:compile
[INFO] |  +- com.alipay.sofa:hessian:jar:3.3.6:compile
[INFO] |  \- io.dropwizard.metrics:metrics-core:jar:4.0.2:compile
[INFO] +- com.alipay.sofa:jraft-rheakv-core:jar:1.3.12:compile
[INFO] |  +- net.openhft:affinity:jar:3.1.7:compile
[INFO] |  |  +- net.java.dev.jna:jna-platform:jar:4.4.0:compile
[INFO] |  |  \- com.intellij:annotations:jar:12.0:compile
[INFO] |  +- org.apache.commons:commons-compress:jar:1.21:compile
[INFO] |  +- io.protostuff:protostuff-core:jar:1.6.0:compile
[INFO] |  |  \- io.protostuff:protostuff-api:jar:1.6.0:compile
[INFO] |  \- io.protostuff:protostuff-runtime:jar:1.6.0:compile
[INFO] |     \- io.protostuff:protostuff-collectionschema:jar:1.6.0:compile
[INFO] +- org.apache.logging.log4j:log4j-api:jar:2.17.1:compile
[INFO] +- org.apache.logging.log4j:log4j-core:jar:2.17.1:compile
[INFO] +- org.apache.logging.log4j:log4j-slf4j-impl:jar:2.17.1:compile
[INFO] +- org.apache.logging.log4j:log4j-jcl:jar:2.17.1:compile
[INFO] |  \- commons-logging:commons-logging:jar:1.2:compile
[INFO] +- com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:jar:2.12.6:compile
[INFO] |  +- org.yaml:snakeyaml:jar:1.27:compile
[INFO] |  \- com.fasterxml.jackson.core:jackson-core:jar:2.12.6:compile
[INFO] \- com.fasterxml.jackson.core:jackson-databind:jar:2.12.6.1:compile
[INFO]    \- com.fasterxml.jackson.core:jackson-annotations:jar:2.12.6:compile

Suggested solutions:

Update dependency version

Thank you very much.