Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-70994

Update snakeyaml plugin to 2.0 to silence security scanners

      The latest weekly Jenkins build has the following vulnerability detected:

       CVE-2022-1471 - Package: org.yaml:snakeyaml - Package Type: MAVEN\n  Affected Version: 1.32,  Fixed Version: 2.0
       
      Can someone update the latest build with the above version that applies the fixes ?

          [JENKINS-70994] Update snakeyaml plugin to 2.0 to silence security scanners

          Mark Waite added a comment -

          teilo has reported in a GitHub comment that:

          https://bitbucket.org/snakeyaml/snakeyaml/wiki/CVE%20&%20NIST.md

          There is no vulnerability in snakeyaml - it works as expected - the vulnerability is in any libraries that use it insecurely with untrusted data. The Jenkins plugin ecosystem has been checked for this usage.

          There was a very good commentary on this in the snakeyaml issue tracker - but it seems the whole issue tracker has gone awol :-o

          Additionally as commented above - 2.0 is potentially breaking so this needs some time to check all consumers will not break and adjust them as appropriate. In the interim - unless you are using a plugin that has not come from a supported Jenkins update center your scanner is wrong, ie check the plugins you have installed in your instance that depend on this plugin, and if any are internally written or have been installed manually then they need to be inspected.

          I reduced the severity of this from Critical to Minor, since the benefit to Jenkins users is to avoid spurious warnings from security scanners, not to resolve a vulnerability.

          Mark Waite added a comment - teilo has reported in a GitHub comment that: https://bitbucket.org/snakeyaml/snakeyaml/wiki/CVE%20&%20NIST.md There is no vulnerability in snakeyaml - it works as expected - the vulnerability is in any libraries that use it insecurely with untrusted data. The Jenkins plugin ecosystem has been checked for this usage. There was a very good commentary on this in the snakeyaml issue tracker - but it seems the whole issue tracker has gone awol :-o Additionally as commented above - 2.0 is potentially breaking so this needs some time to check all consumers will not break and adjust them as appropriate. In the interim - unless you are using a plugin that has not come from a supported Jenkins update center your scanner is wrong, ie check the plugins you have installed in your instance that depend on this plugin, and if any are internally written or have been installed manually then they need to be inspected. I reduced the severity of this from Critical to Minor, since the benefit to Jenkins users is to avoid spurious warnings from security scanners, not to resolve a vulnerability.

          Basil Crow added a comment -

          From jenkinsci/snakeyaml-api-plugin#79:

           I recommend that the @jenkinsci/snakeyaml-plugin-developers consult https://diff.revapi.org to determine the API differences between the current 1.x version and the desired 2.x version, search for consumers using https://github.com/jenkins-infra/usage-in-plugins, and release a new version of snakeyaml-api-plugin after having adapted any consumers (if necessary) to the breaking API changes.

          Basil Crow added a comment - From jenkinsci/snakeyaml-api-plugin#79 :  I recommend that the @jenkinsci/snakeyaml-plugin-developers consult https://diff.revapi.org to determine the API differences between the current 1.x version and the desired 2.x version, search for consumers using https://github.com/jenkins-infra/usage-in-plugins , and release a new version of snakeyaml-api-plugin after having adapted any consumers (if necessary) to the breaking API changes.

          Mark Waite added a comment -

          I find no reference to snakeyaml versions in searching an installation of Jenkins core without plugins installed. The one reference to snakeyaml that I see in my installation is from the snakeyaml-2.2 plugin. It bundles the latest release of snakeyaml

          Mark Waite added a comment - I find no reference to snakeyaml versions in searching an installation of Jenkins core without plugins installed. The one reference to snakeyaml that I see in my installation is from the snakeyaml-2.2 plugin. It bundles the latest release of snakeyaml

          Tom added a comment - - edited

          I can se there is a merged PR which updates the plugin to version 2.2: https://github.com/jenkinsci/snakeyaml-api-plugin/pull/96

          But my vulnerability scanner still reports this vulnerability. I'm using this image: jenkins/jenkins:2.429-alpine-jdk1

          is there something I'm missing?

          Tom added a comment - - edited I can se there is a merged PR which updates the plugin to version 2.2: https://github.com/jenkinsci/snakeyaml-api-plugin/pull/96 But my vulnerability scanner still reports this vulnerability. I'm using this image: jenkins/jenkins : 2.429-alpine-jdk1 is there something I'm missing?

          Basil Crow added a comment -

          The SnakeYAML Jenkins plugin 1.33-95.va_b_a_e3e47b_fa_4 is still bundled in the Jenkins WAR as a detached plugin. I recommend this be upgraded to the latest version.

          Basil Crow added a comment - The SnakeYAML Jenkins plugin 1.33-95.va_b_a_e3e47b_fa_4 is still bundled in the Jenkins WAR as a detached plugin. I recommend this be upgraded to the latest version.

          Basil Crow added a comment -

          The bundled plugin in Jenkins core was updated in https://github.com/jenkinsci/jenkins/pull/8674

          Basil Crow added a comment - The bundled plugin in Jenkins core was updated in https://github.com/jenkinsci/jenkins/pull/8674

          Tom added a comment -

          The jenkins inbound agent docker image has the same CVE vulnerability. When will these images released with a patch?

          Tom added a comment - The jenkins inbound agent docker image has the same CVE vulnerability. When will these images released with a patch?

          Mark Waite added a comment -

          tomz I'm not able to find any reference to SnakeYAML or the SnakeYAML API plugin in jenkins/inbound-agent:3192.v713e3b_039fb_e-2-alpine. I searched with the following commands:

          $ docker pull jenkins/inbound-agent:3192.v713e3b_039fb_e-2-alpine
          $ docker run --rm -i -t jenkins/inbound-agent:3192.v713e3b_039fb_e-2-alpine /bin/bash
          $ grep -r -i -l -s snakeyaml /
          

          Can you provide details that show where you found a reference to SnakeYAML 1.33 or older in an inbound agent image?

          Mark Waite added a comment - tomz I'm not able to find any reference to SnakeYAML or the SnakeYAML API plugin in jenkins/inbound-agent:3192.v713e3b_039fb_e-2-alpine . I searched with the following commands: $ docker pull jenkins/inbound-agent:3192.v713e3b_039fb_e-2-alpine $ docker run --rm -i -t jenkins/inbound-agent:3192.v713e3b_039fb_e-2-alpine /bin/bash $ grep -r -i -l -s snakeyaml / Can you provide details that show where you found a reference to SnakeYAML 1.33 or older in an inbound agent image?

          Tom added a comment -

          After some time of investigation it seems that the issues comes from the modifications of my team. Sry for the trouble and thanks for your time!

          Tom added a comment - After some time of investigation it seems that the issues comes from the modifications of my team. Sry for the trouble and thanks for your time!

            Unassigned Unassigned
            fitzwar Andrew
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: