En utilisant AWS re:Post, vous acceptez les AWS re:Post Conditions d’utilisation
AWS re:Postre:Post

Greengrass 2.11.2 has CVE-2022-1471

0

On doing a scan of an ECR image, which includes the Greengrass Nucleus Software, it reports that both filepaths 'greengrass/v2/packages/artifacts-unarchived/aws.greengrass.Nucleus/2.11.2/aws.greengrass.nucleus/lib/Greengrass.jar' and 'opt/greengrassv2/lib/Greengrass.jar' is vulnerable to CVE-2022-1471, through org.yaml:snakeyaml.

Can you give any guidance as to how we can address this issue ? That is the most recent up-to-date version of the Greengrass nucleus.

Sujets
Internet des objets (IoT)Sécurité, identité et conformité
Balises
AWS IoT GreengrassSécurité, identité et conformitéSécurité des appareils
Langue
English
scriobhneoir
demandé il y a 9 mois278 vues
1 réponse
2

Hello,

Greengrass is not affected by this CVE. This CVE concerns SnakeYaml’s Constructor() class does not restrict types which can be instantiated during deserialization. Greengrass does not use SnakeYaml directly. We import an old version of Jackson dataformat library, which uses SnakeYaml. Jackson is also not affected by this CVE. https://github.com/FasterXML/jackson-dataformats-text/issues/392

We will update Jackson library in our next Nucleus release.

AWS
yitingb
répondu il y a 9 mois
AWS
EXPERT
MichaelDombrowski-AWS
vérifié il y a 9 mois
profile picture
EXPERT
Gary Mclean
vérifié il y a 9 mois

Vous n'êtes pas connecté. Se connecter pour publier une réponse.

Une bonne réponse répond clairement à la question, contient des commentaires constructifs et encourage le développement professionnel de la personne qui pose la question.

Instructions pour répondre aux questions

Contenus pertinents