Greengrass 2.11.2 has CVE-2022-1471

Question

On doing a scan of an ECR image, which includes the Greengrass Nucleus Software, it reports that both filepaths 'greengrass/v2/packages/artifacts-unarchived/aws.greengrass.Nucleus/2.11.2/aws.greengrass.nucleus/lib/Greengrass.jar' and 'opt/greengrassv2/lib/Greengrass.jar'  is vulnerable to 
 CVE-2022-1471, through org.yaml:snakeyaml.

Can you give any guidance as to how we can address this issue ? That is the most recent up-to-date version of the Greengrass nucleus.

Answer

Hello,

Greengrass is not affected by this CVE.
This CVE concerns SnakeYaml’s `Constructor() class does not restrict types which can be instantiated during deserialization`. Greengrass does not use SnakeYaml directly. We import an old version of Jackson dataformat library, which uses SnakeYaml. Jackson is also not affected by this CVE. https://github.com/FasterXML/jackson-dataformats-text/issues/392

We will update Jackson library in our next Nucleus release.

Greengrass 2.11.2 has CVE-2022-1471

Relevanter Inhalt