Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

Greengrass 2.11.2 has CVE-2022-1471

0

On doing a scan of an ECR image, which includes the Greengrass Nucleus Software, it reports that both filepaths 'greengrass/v2/packages/artifacts-unarchived/aws.greengrass.Nucleus/2.11.2/aws.greengrass.nucleus/lib/Greengrass.jar' and 'opt/greengrassv2/lib/Greengrass.jar' is vulnerable to CVE-2022-1471, through org.yaml:snakeyaml.

Can you give any guidance as to how we can address this issue ? That is the most recent up-to-date version of the Greengrass nucleus.

Argomenti
Internet delle cose (IoT)Sicurezza, identità e conformità
Tag
AWS IoT GreengrassSicurezza, identità e conformitàSicurezza dei dispositivi
Lingua
English
scriobhneoir
posta 9 mesi fa278 visualizzazioni
1 Risposta
2

Hello,

Greengrass is not affected by this CVE. This CVE concerns SnakeYaml’s Constructor() class does not restrict types which can be instantiated during deserialization. Greengrass does not use SnakeYaml directly. We import an old version of Jackson dataformat library, which uses SnakeYaml. Jackson is also not affected by this CVE. https://github.com/FasterXML/jackson-dataformats-text/issues/392

We will update Jackson library in our next Nucleus release.

AWS
yitingb
con risposta 9 mesi fa
AWS
ESPERTO
MichaelDombrowski-AWS
verificato 9 mesi fa
profile picture
ESPERTO
Gary Mclean
verificato 9 mesi fa

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente