CVE-2022-25857 - Upgrade to SnakeYAML 1.31

[bclozel]

CVE-2022-25857 has been reported against the SnakeYaml project. This issue upgrades SnakeYaml to 1.31 for Spring Boot 3.0.0.

This CVE can make applications vulnerable to DoS attacks, given the Yaml parser is used to parse untrusted input. Most Spring Boot applications use this library to parse their own application.yml configuration file, which is considered as safe. If an attacker could change application.yml to exploit this vulnerability, they could cause much more damage than a DoS by just changing the properties, or by reading secrets.

The Spring Boot policy for upgrading third party dependencies in our dependency management prevents us from upgrading this version in maintenance branches, 2.6.x and 2.7.x. Doing so would expose developers to possible behavior or API changes that would disrupt their application. We've discussed the possibility of making an exception to this policy, but this case happened in the past already with SnakeYaml 1.26 (see #20366); so far we don't see a reason to do so and we expect libraries maintainers to release patch versions for CVE fixes.

If your 2.6.x or 2.7.x application is using SnakeYaml to decode untrusted Yaml, for example from a web controller, you should override the SnakeYAML version property (snakeyaml.version) as soon as possible in your Gradle or Maven build.

[bclozel]

Update: we've just pushed a fix for broken timestamp/dates handling with SnakeYaml 1.31 in the upcoming Spring Boot 2.6.x and 2.7.x. We're still defaulting to 1.29 and 1.30 in those versions, but unlocking the possibility to use SnakeYaml 1.31 at runtime; see #32228.

[bclozel]

@nytro77 thanks I've edited my comment. Yes we'll stick to 1.30 in 2.7.x for the same reason.

[nytro77]

@bclozel Ah ok. Just deleted my comment because i thought my eyes tricked me :)
Great thanks

[asomov]

It is sad, that false positives have such an influence.

[robert-gdv]

@bclozel Would you include an update to a potential Version 1.30.1 of snakeyaml, that fixes only same bugs in 2.7.x ?
I am trying to convince the maintainer of snakeyaml to release such a hotfix.

My issue is, that I support dozens of projects where this vulnerability popped up. Unfortunately I can't mark it in general as "false positive". Instead I have to check every project, that it doesn't process external yamls. I assume that there a thousands of teams around the world doing the same thing.

[asomov]

@bclozel what are the bugs ?

[wilkinsona]

IMO, the root cause of the problem is the CVE database and security scanning throwing up false positives. Trying to convince an open source maintainer to take on an additional maintenance burden due to that doesn't feel right to me.

You can use SnakeYAML 1.31 right now with Spring Boot 2.6 and 2.7 with one small caveat. Due to a change in a method that Spring Boot overrides, some custom handling of timestamp-like values is lost. Consider the following YAML:

example: 2015-01-28

With SnakeYAML 1.30 and earlier, Spring Boot will successfully customize SnakeYAML so that the value is left as-is. With SnakeYAML 1.31 this customization does not succeed and it is coerced into a java.util.Date. You can work around this change in behaviour by quoting the value, thereby ensuring that it's left as-is:

example: '2015-01-28'

The forthcoming Spring Boot 2.6.x and 2.7.x releases adapt to the changes in SnakeYAML 1.31 so that this quoting isn't necessary (but won't do any harm).

[asomov]

@wilkinsona can you please provide the method which was changed ? We do our best to keep backwards compatible changes