CVE-2022-1471: Remote Code execution in SnakeYAML
First published: Thu Dec 01 2022(Updated: )
### Summary SnakeYaml's `Constructor` class, which inherits from `SafeConstructor`, allows any type be deserialized given the following line: new Yaml(new Constructor(TestDataClass.class)).load(yamlContent); Types do not have to match the types of properties in the target class. A `ConstructorException` is thrown, but only after a malicious payload is deserialized. ### Severity High, lack of type checks during deserialization allows remote code execution. ### Proof of Concept Execute `bash run.sh`. The PoC uses Constructor to deserialize a payload for RCE. RCE is demonstrated by using a payload which performs a http request to http://127.0.0.1:8000. Example output of successful run of proof of concept: ``` $ bash run.sh [+] Downloading snakeyaml if needed [+] Starting mock HTTP server on 127.0.0.1:8000 to demonstrate RCE nc: no process found [+] Compiling and running Proof of Concept, which a payload that sends a HTTP request to mock web server. [+] An exception is expected. Exception: Cannot create property=payload for JavaBean=Main$TestDataClass@3cbbc1e0 in 'string', line 1, column 1: payload: !!javax.script.ScriptEn ... ^ Can not set java.lang.String field Main$TestDataClass.payload to javax.script.ScriptEngineManager in 'string', line 1, column 10: payload: !!javax.script.ScriptEngineManag ... ^ at org.yaml.snakeyaml.constructor.Constructor$ConstructMapping.constructJavaBean2ndStep(Constructor.java:291) at org.yaml.snakeyaml.constructor.Constructor$ConstructMapping.construct(Constructor.java:172) at org.yaml.snakeyaml.constructor.Constructor$ConstructYamlObject.construct(Constructor.java:332) at org.yaml.snakeyaml.constructor.BaseConstructor.constructObjectNoCheck(BaseConstructor.java:230) at org.yaml.snakeyaml.constructor.BaseConstructor.constructObject(BaseConstructor.java:220) at org.yaml.snakeyaml.constructor.BaseConstructor.constructDocument(BaseConstructor.java:174) at org.yaml.snakeyaml.constructor.BaseConstructor.getSingleData(BaseConstructor.java:158) at org.yaml.snakeyaml.Yaml.loadFromReader(Yaml.java:491) at org.yaml.snakeyaml.Yaml.load(Yaml.java:416) at Main.main(Main.java:37) Caused by: java.lang.IllegalArgumentException: Can not set java.lang.String field Main$TestDataClass.payload to javax.script.ScriptEngineManager at java.base/jdk.internal.reflect.UnsafeFieldAccessorImpl.throwSetIllegalArgumentException(UnsafeFieldAccessorImpl.java:167) at java.base/jdk.internal.reflect.UnsafeFieldAccessorImpl.throwSetIllegalArgumentException(UnsafeFieldAccessorImpl.java:171) at java.base/jdk.internal.reflect.UnsafeObjectFieldAccessorImpl.set(UnsafeObjectFieldAccessorImpl.java:81) at java.base/java.lang.reflect.Field.set(Field.java:780) at org.yaml.snakeyaml.introspector.FieldProperty.set(FieldProperty.java:44) at org.yaml.snakeyaml.constructor.Constructor$ConstructMapping.constructJavaBean2ndStep(Constructor.java:286) ... 9 more [+] Dumping Received HTTP Request. Will not be empty if PoC worked GET /proof-of-concept HTTP/1.1 User-Agent: Java/11.0.14 Host: localhost:8000 Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 Connection: keep-alive ``` ### Further Analysis Potential mitigations include, leveraging SnakeYaml's SafeConstructor while parsing untrusted content. See https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64581479 for discussion on the subject. A fix was released in version 2.0. See https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64876314 for more information. ### Timeline **Date reported**: 4/11/2022 **Date fixed**: **Date disclosed**: 10/13/2022
Credit: cve-coordination@google.com cve-coordination@google.com cve-coordination@google.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Snakeyaml Project Snakeyaml | <2.0 | |
| maven/org.yaml:snakeyaml | <=1.33 | 2.0 |
| IBM Cognos Analytics | <=12.0.0-12.0.1 | |
| IBM Cognos Analytics | <=11.2.0-11.2.4 FP2 | |
| IBM Cognos Analytics | <=11.1.1-11.1.7 FP7 | |
| <2.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://packetstormsecurity.com/files/175095/PyTorch-Model-Server-Registration-Deserialization-Remote-Code-Execution.html
- https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64581479
- https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2
- https://github.com/mbechler/marshalsec
- https://groups.google.com/g/kubernetes-security-announce/c/mwrakFaEdnc
- https://security.netapp.com/advisory/ntap-20230818-0015/
- https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true
- http://www.openwall.com/lists/oss-security/2023/11/19/1
- https://nvd.nist.gov/vuln/detail/CVE-2022-1471
- https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64634374
- https://bitbucket.org/snakeyaml/snakeyaml/wiki/CVE-2022-1471
- https://snyk.io/blog/unsafe-deserialization-snakeyaml-java-cve-2022-1471/
- https://bitbucket.org/snakeyaml/snakeyaml/commits/5014df1a36f50aca54405bb8433bc99a8847f758
- https://bitbucket.org/snakeyaml/snakeyaml/commits/acc44099f5f4af26ff86b4e4e4cc1c874e2dc5c4
- https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64876314
- https://github.com/advisories/GHSA-mjmj-j48q-9wg2 (Advisory)
- https://exchange.xforce.ibmcloud.com/vulnerabilities/241118
- https://www.ibm.com/support/pages/node/7123154 (Advisory)
- https://access.redhat.com/errata/RHSA-2022:9032
- https://access.redhat.com/errata/RHSA-2022:9058
- https://issues.redhat.com/browse/CRW-3658?filter=12405213&jql=project%20%3D%20CRW%20AND%20component%20%3D%20%22productization%3A%20security%20%26%20legal%22%20AND%20labels%20%3D%20SecurityTracking%20AND%20resolution%20is%20EMPTY%20and%20text%20~%20snakeyaml
- https://access.redhat.com/errata/RHSA-2023:0758
- https://access.redhat.com/errata/RHSA-2023:0697
- https://access.redhat.com/errata/RHSA-2023:0777
- https://access.redhat.com/errata/RHSA-2023:1043
- https://access.redhat.com/errata/RHSA-2023:1044
- https://access.redhat.com/errata/RHSA-2023:1045
- https://access.redhat.com/errata/RHSA-2023:1047
- https://access.redhat.com/errata/RHSA-2023:1049
- https://access.redhat.com/errata/RHSA-2023:1006
- https://access.redhat.com/errata/RHSA-2023:1514
- https://access.redhat.com/errata/RHSA-2023:1513
- https://access.redhat.com/errata/RHSA-2023:1512
- https://access.redhat.com/errata/RHSA-2023:1516
- https://access.redhat.com/errata/RHSA-2023:2097
- https://access.redhat.com/errata/RHSA-2023:3198
- https://access.redhat.com/errata/RHSA-2023:4612
- https://access.redhat.com/errata/RHSA-2023:5165
- https://access.redhat.com/errata/RHSA-2023:7697
- https://access.redhat.com/errata/RHSA-2024:0325
- https://access.redhat.com/errata/RHSA-2024:0775
- https://access.redhat.com/errata/RHSA-2024:1353
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2272329
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2272330
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2272331
- https://bugzilla.redhat.com/show_bug.cgi?id=2150009
Frequently Asked Questions
What is CVE-2022-1471?
CVE-2022-1471 is a vulnerability in SnakeYaml that could allow a remote authenticated attacker to execute arbitrary code on the system.
How does SnakeYaml's Constructor class contribute to the vulnerability?
SnakeYaml's Constructor class, which inherits from SafeConstructor, allows any type to be deserialized, regardless of matching the types of properties in the target class.
What is the severity of CVE-2022-1471?
CVE-2022-1471 has a severity rating of 9.8 (Critical).
Which software versions are affected by CVE-2022-1471?
Versions up to and including 1.33 of the org.yaml:snakeyaml package, versions up to and excluding 2.0 of Snakeyaml Project Snakeyaml, and versions up to and including v1.8.2 of IBM Disconnected Log Collector are affected by CVE-2022-1471.
How can I fix CVE-2022-1471?
To fix CVE-2022-1471, update the affected software packages to version 2.0 for org.yaml:snakeyaml, version 2.0 or later for Snakeyaml Project Snakeyaml, and version 1.8.3 or later for IBM Disconnected Log Collector.
- collector/nvd-index
- collector/oss-sec
- alias/CVE-2023-46302
- alias/CVE-2022-1471
- collector/mitre-cve
- collector/github-advisory-latest
- alias/GHSA-mjmj-j48q-9wg2
- collector/nvd-api
- collector/github-advisory
- agent/type
- agent/first-publish-date
- agent/weakness
- agent/severity
- agent/title
- agent/author
- agent/event
- agent/description
- collector/ibm-support
- source/IBM
- agent/software-canonical-lookup
- agent/softwarecombine
- agent/references
- agent/tags
- collector/redhat-bugzilla
- source/Red Hat
- agent/last-modified-date
- collector/nvd-cve
- source/NVD
- vendor/snakeyaml project
- canonical/snakeyaml project snakeyaml
- package-manager/maven
- vendor/ibm
- canonical/ibm cognos analytics
- version/ibm cognos analytics/12.0.0-12.0.1
- version/ibm cognos analytics/11.2.0-11.2.4 fp2
- version/ibm cognos analytics/11.1.1-11.1.7 fp7