Al usar AWS re:Post, aceptas las AWS re:Post Términos de uso
AWS re:Postre:Post

Greengrass 2.11.2 has CVE-2022-1471

0

On doing a scan of an ECR image, which includes the Greengrass Nucleus Software, it reports that both filepaths 'greengrass/v2/packages/artifacts-unarchived/aws.greengrass.Nucleus/2.11.2/aws.greengrass.nucleus/lib/Greengrass.jar' and 'opt/greengrassv2/lib/Greengrass.jar' is vulnerable to CVE-2022-1471, through org.yaml:snakeyaml.

Can you give any guidance as to how we can address this issue ? That is the most recent up-to-date version of the Greengrass nucleus.

Temas
Internet de las cosas (IoT)Seguridad, identidad y cumplimiento
Etiquetas
AWS IoT GreengrassSeguridad, identidad y cumplimientoSeguridad del dispositivo
Idioma
English
scriobhneoir
preguntada hace 9 meses278 visualizaciones
1 Respuesta
2

Hello,

Greengrass is not affected by this CVE. This CVE concerns SnakeYaml’s Constructor() class does not restrict types which can be instantiated during deserialization. Greengrass does not use SnakeYaml directly. We import an old version of Jackson dataformat library, which uses SnakeYaml. Jackson is also not affected by this CVE. https://github.com/FasterXML/jackson-dataformats-text/issues/392

We will update Jackson library in our next Nucleus release.

AWS
yitingb
respondido hace 9 meses
AWS
EXPERTO
MichaelDombrowski-AWS
revisado hace 9 meses
profile picture
EXPERTO
Gary Mclean
revisado hace 9 meses

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Pautas para responder preguntas

Contenido relevante