CVE-2022-1471 (snakeyaml) CVSS 9.8 (critical) is affecting SBOM's containing jruby

[derekhillhp]

Our software calls asciidoctorj as a dependent library, which in turn calls jruby, which relies on snakeyaml

snakeyaml < 2.0 currently has a critical CVE, CVE-2022-1471 -- https://nvd.nist.gov/vuln/detail/CVE-2022-1471

jruby pulls in a version prior to 2.0

Please update jruby to pull in snakeyaml 2.0 or greater.

I am very well aware of this previous comment: #7570 (comment)

However, this critical vulnerability is coming up in SBOM reports from pretty much all SCA/OSA vendors and is blocking deployments using the vulnerable version of snakeyaml.

edit: fixed typo

[headius]

If we got asciidoctorj to release a new version that uses JRuby 9.4.3.0, which uses SnakeYAML-Engine that does not have these CVEs... would you be able to upgrade asciidoctorj?

We're kinda stuck between a rock and a hard place here. Forcing an upgrade of SnakeYAML on JRuby 9.3.x users means they will suddenly be using a YAML 1.2 engine, and noncompliant YAML will be rejected. We'll definitely get bug reports about it. On the other hand, JRuby 9.4.3+ already use the newer SnakeYAML with no CVEs, so there's an upgrade path.

[headius]

FYI the train has left the station for JRuby 9.3.11 at this point. Any change would have to be in 9.3.12. As detailed in #7600 (#7600 (comment)) these are the options I saw:

• Upgrade psych. This seems too risky given the leap to YAML 1.2 as described above.
• Unbundle psych altogether. Probably not a realistic option since it's part of the standard library.
• Release a separate jruby-complete artifact that only upgrades psych. This would solve the main CVE case of psych bundled within the release artifact, but it would be complicated to create and support.
• Do nothing. Users should upgrade to 9.4 if they have SnakeYAML CVE issues with 9.3.

After some thinking I came up with one more option. It's not great but it would solve all problems.

• Fork the last non-Engine SnakeYAML, remove the CVE parts, re-release under the org.jruby group ID, make a special version of Psych that uses it, and integrate that into JRuby 9.3.12.

Of these options we still prefer to do nothing, but I understand that is a nonstarter for situations like yours where you need asciidoctorj and it depends on a version of JRuby that uses the older SnakeYAML.

[headius]

I've opened asciidoctor/asciidoctorj#1234 to try to make progress on the asciidoctorj side.

[derekhillhp]

Thank you for the update. I am bit confused, the latest version of asciidoctorj (2.5.10) still pulls in a version of jruby prior to 9.4.3, (it pulls 9.4.2.0) so are you saying that even the latest version of asciidoctorj is still susceptible to the snakeyaml vulnerability?

I appreciate the efforts, but this combination of asciidoctorj -> jruby -> snakeyaml is going to be the end of me. :-) (have to have a sense of humor).

asciidoctor/asciidoctorj#1215

But if you can work with the asciidoctorj team to coordinate an upgrade of both products, that would be awesome.

[headius]

@derekhillhp Aha, you know what, you are right! I was surprised 9.4.1.0 happened after the big psych update, but it did, and 9.4.1.0 does NOT use the SnakeYAML that has CVEs.

Is that something you can't upgrade? I am confused about this issue if you know that latest asciidoctorj uses a fixed version of JRuby.

[derekhillhp]

We need to do some more checking, but our tool is no longer showing snakeyaml as a dependency to jruby. Can you elaborate a bit more on snakeyaml-engine.

[headius]

@derekhillhp I think @asomov could describe things better but SnakeYAML-Engine replaces SnakeYAML and updates YAML support to 1.2. It includes none of the Java marshaling/deserialization features that triggered CVE concerns in the original SnakeYAML.

https://bitbucket.org/snakeyaml/snakeyaml-engine/src/master/

It evolved out of the original but many APIs have been updated or removed. We had very little trouble switching, and will be using SnakeYAML-Engine for all JRuby Psych (YAML API for Ruby) releases going forward.

JRuby started using SnakeYAML-Engine via Psych 5.1.0 in JRuby 9.4.1.0 early this year.

• New snakeyaml vulnerability has dropped, affects jruby-complete #7570
• Use Psych 5.1 #7626
• Move JRuby extension to SnakeYAML Engine ruby/psych#612

We have at this time decided NOT to upgrade Psych (and therefore not upgrade SnakeYAML to SnakeYAML-Engine) in the JRuby 9.3 line because it would introduce the breaking change of forcing YAML 1.2 compliance on existing users. I initially thought that's what you were asking for, since we made this decision within the past few days (#7600).

[derekhillhp]

@headius -- just to clarify for my sanities sake, the switch from snakeyaml -> snakeyaml-engine happened in jruby 9.4.1.0 and asciidoctorj picked up jruby 9.4.2.0 when they updated to 2.5.10, therefore eliminating the snakeyaml (non engine) version and all associated CVE's that were related to the deserialization portion of snakeyaml.

If that is indeed the case, then thank you for the previous work, I suppose we can go an close the issue then.

[headius]

@derekhillhp The upgrade to SnakeYAML-Engine happened in JRuby 9.4.1.0, and up until my PR above that was the version that asciidoctorj was using on master. I am not certain about the release cadence of asciidoctorj, but since that change happened in February/March, I'm fairly sure that any asciidoctorj since then has used JRuby 9.4.1.0 and are therefore not beholden to the CVE problems of SnakeYAML (non-Engine).

...therefore eliminating the snakeyaml (non engine) version and all associated CVE's that were related to the deserialization portion of snakeyaml.

The rest of this is correct.

The PR I made today upgrades asciidoctorj to 9.4.3.0, which doesn't change anything about the SnakeYAML story, but it was merged and so future asciidoctorj releases will use at least 9.4.3.0.

It's probably worth asking yourself in the asciidoctorj issue tracker or discussions for clarification as to what releases contain which versions of JRuby.

Thanks for working through this with me!

[asomov]

@derekhillhp I would like to confirm what @headius said above about SnakeYAML Engine