java-server-sdk is vulnerable to CVE-2022-1471 RCE #288
Description
Is this a support request?
This issue tracker is maintained by LaunchDarkly SDK developers and is intended for feedback on the SDK code. If you're not sure whether the problem you are having is specifically related to the SDK, or to the LaunchDarkly service overall, it may be more appropriate to contact the LaunchDarkly support team; they can help to investigate the problem and will consult the SDK team if necessary. You can submit a support request by going here or by emailing support@launchdarkly.com.
Note that issues filed on this issue tracker are publicly accessible. Do not provide any private account information on your issues. If your problem is specific to your account, you should submit a support request as described above.
Describe the bug
CVE-2022-1471 allows the org.yaml.snakeyaml.Yaml file to instantiate arbitrary Java classes when reading yaml files, which can be used to achieve an RCE (remote code execution).
To reproduce
see https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in
Expected behavior
launchdarkly should use org.yaml.snakeyaml.constructor.SafeConstuctor to prevent the RCE.
Logs
If applicable, add any log output related to your problem.
SDK version
latest
Language version, developer tools
For instance, Go 1.11 or Ruby 2.5.3. If you are using a language that requires a separate compiler, such as C, please include the name and version of the compiler too.
OS/platform
For instance, Ubuntu 16.04, Windows 10, or Android 4.0.3. If your code is running in a browser, please also include the browser type and version.
Additional context
Add any other context about the problem here.