Greengrass 2.11.2 has CVE-2022-1471

0

On doing a scan of an ECR image, which includes the Greengrass Nucleus Software, it reports that both filepaths 'greengrass/v2/packages/artifacts-unarchived/aws.greengrass.Nucleus/2.11.2/aws.greengrass.nucleus/lib/Greengrass.jar' and 'opt/greengrassv2/lib/Greengrass.jar' is vulnerable to CVE-2022-1471, through org.yaml:snakeyaml.

Can you give any guidance as to how we can address this issue ? That is the most recent up-to-date version of the Greengrass nucleus.

1 Answer
2

Hello,

Greengrass is not affected by this CVE. This CVE concerns SnakeYaml’s Constructor() class does not restrict types which can be instantiated during deserialization. Greengrass does not use SnakeYaml directly. We import an old version of Jackson dataformat library, which uses SnakeYaml. Jackson is also not affected by this CVE. https://github.com/FasterXML/jackson-dataformats-text/issues/392

We will update Jackson library in our next Nucleus release.

AWS
yitingb
answered 8 months ago
AWS
EXPERT
reviewed 8 months ago
profile picture
EXPERT
reviewed 8 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions