logstash icon indicating copy to clipboard operation
logstash copied to clipboard
verified publisher icon elastic

Snakeyaml 1.33 to be updated to 2.0

Open JonahLuckett opened this issue 2 years ago • 16 comments

Description

The release of SnakeYAML 2.0 resolves CVE-2022-1471 - currently Logstash is using SnakeYAML 1.33

Currently a clean bump to 2.0 results in the following error taken from this comment:

> Task :installBundler
uri:classloader:/META-INF/jruby.home/lib/ruby/stdlib/rubygems.rb:632: warning: The Psych YAML extension failed to load.
Check your env for conflicting versions of SnakeYAML
See https://github.com/jruby/jruby/wiki/FAQs#why-does-the-psych-yaml-extension-fail-to-load-in-my-environment

> Task :installBundler FAILED

FAILURE: Build failed with an exception.

* Where:
Script '/home/andrea/workspace/logstash_andsel/rubyUtils.gradle' line: 101

* What went wrong:
Execution failed for task ':installBundler'.
> (LoadError) bad SnakeYAML version 2.0, required 1.21 or higher; check your CLASSPATH for a conflicting jar

* Try:
> Run with --stacktrace option to get the stack trace.
> Run with --info or --debug option to get more log output.
> Run with --scan to get full insights.

* Get more help at https://help.gradle.org

BUILD FAILED in 39s
49 actionable tasks: 35 executed, 14 up-to-date

Concerns raised that will be covered by the fix to this work:

  • SafeConstructor ignores LoaderOptions setCodePointLimit() changelog: when we upgraded to 1.33 we set code point limit and now it ignores in 2.0. We have to make sure our sources are CVE free.
  • CustomClassLoaderConstructor takes LoaderOptions: when creating Yaml interface, we have some places utilize CustomClassLoaderConstructor and now it requires LoaderOptions.

Relevant documentation

  • https://github.com/elastic/logstash/pull/14948 - current PR
  • https://nvd.nist.gov/vuln/detail/CVE-2022-1471

JonahLuckett avatar Jun 13 '23 10:06 JonahLuckett

Currently working on the fix for this - waiting to be assigned to the issue by someone with the relevant permissions

JonahLuckett avatar Jun 13 '23 10:06 JonahLuckett

@mashhurs @jsvd

deepakLabs avatar Jun 13 '23 11:06 deepakLabs

Resolved with https://github.com/elastic/logstash/pull/15125

mashhurs avatar Jun 29 '23 14:06 mashhurs

Amazing news! @mashhurs Do you know if this went out with 8.8.2 or if it is planned for 8.8.3+

JonahLuckett avatar Jul 03 '23 15:07 JonahLuckett

@JonahLuckett CVE-2022-1471 is still present in 8.8.2

aumayr avatar Jul 04 '23 07:07 aumayr

Edit: 8.10 version (hopefully release soon) will be less affected version includes this change.

mashhurs avatar Jul 04 '23 16:07 mashhurs

@mashhurs The release notes for 8.9.0 says snakeyaml has been updated to 2.0. However when I scan with Trivy it doesn't seem to be the case?

sonloi avatar Jul 26 '23 13:07 sonloi

@mashhurs The release notes for 8.9.0 says snakeyaml has been updated to 2.0. However when I scan with Trivy it doesn't seem to be the case?

Sorry for confusion, updated the release note (https://github.com/elastic/logstash/pull/15221), web page update will be reflected soon.

mashhurs avatar Jul 26 '23 18:07 mashhurs

@mashhurs is there any update on when this will be released? I see there is already an 8.10.2 version, but doesn't seem to include this yet. Thanks!

mseiler90 avatar Sep 21 '23 15:09 mseiler90

@mashhurs is there any update on when this will be released? I see there is already an 8.10.2 version, but doesn't seem to include this yet. Thanks!

@mseiler90 Logstash core updated snakeyaml in 8.10.x versions. Can you show me the output of your scanner or the way you figure out that snakeyaml didn't get updated.

mashhurs avatar Sep 21 '23 16:09 mashhurs

@mashhurs is there any update on when this will be released? I see there is already an 8.10.2 version, but doesn't seem to include this yet. Thanks!

@mseiler90 Logstash core updated snakeyaml in 8.10.x versions. Can you show me the output of your scanner or the way you figure out that snakeyaml didn't get updated.

Here are two screehsots showing the vulnerability along with some others and a screenshot of the labels to show that it is 8.10.2. This is from Prisma Compute (Twistlock). We also see it in Azure Defender. Vulnerabilities Labels

mseiler90 avatar Sep 21 '23 17:09 mseiler90

@mashhurs any thoughts on this? I do see in the build.gradle that 2.0 is explicitly set, but the image scanning tools still seem to think otherwise for me. Do happen to have any insight into the other vulnerabilities being addressed as well? Thanks for your help.

mseiler90 avatar Sep 27 '23 12:09 mseiler90

After further investigation, it seems it is due to the logstash-filter-useragent-3.3.4.jar which I see a PR on this repo addressed https://github.com/logstash-plugins/logstash-filter-useragent/pull/89 and I'm assuming Logstash 8.10.3 will include this updated jar?

mseiler90 avatar Sep 27 '23 14:09 mseiler90

After further investigation, it seems it is due to the logstash-filter-useragent-3.3.4.jar which I see a PR on this repo addressed logstash-plugins/logstash-filter-useragent#89 and I'm assuming Logstash 8.10.3 will include this updated jar?

Yes, filter-useragent changes will reflect in 8.10.3. The screenshot you showed in your previous comment shows the JARs but doesn't shows the full path. Can you let me know where those JARs located? I am also assuming it is in useragent plugin JAR but not 100% sure.

mashhurs avatar Sep 27 '23 16:09 mashhurs

Unfortunately that tool isn't showing the the actual jar that the vulnerabilities are in. Our company proxies images through JFrog Artifactory, and using that I reviewed the Xray scan and found the snakeyaml vulnerability in the useragent jar. The other vulnerabilities appear to be in the main jar as the paths are not indicating any other jar like the snakeyaml vulnerability.

mseiler90 avatar Sep 27 '23 16:09 mseiler90

@mashhurs I've updated to 8.11.1 and I can see that snakeyaml 1.33 is still present in logstash/logstash-core/lib/jars/snakeyaml-1.33.jar

sonloi avatar Nov 16 '23 16:11 sonloi