使用 AWS re:Post 即表示您同意 AWS re:Post 使用條款
AWS re:Postre:Post

Greengrass 2.11.2 has CVE-2022-1471

0

On doing a scan of an ECR image, which includes the Greengrass Nucleus Software, it reports that both filepaths 'greengrass/v2/packages/artifacts-unarchived/aws.greengrass.Nucleus/2.11.2/aws.greengrass.nucleus/lib/Greengrass.jar' and 'opt/greengrassv2/lib/Greengrass.jar' is vulnerable to CVE-2022-1471, through org.yaml:snakeyaml.

Can you give any guidance as to how we can address this issue ? That is the most recent up-to-date version of the Greengrass nucleus.

主題
物聯網 (IoT)安全性、身分識別與合規
標籤
AWS IoT Greengrass安全性、身分識別與合規裝置安全性
語言
English
scriobhneoir
已提問 9 個月前檢視次數 278 次
1 個回答
2

Hello,

Greengrass is not affected by this CVE. This CVE concerns SnakeYaml’s Constructor() class does not restrict types which can be instantiated during deserialization. Greengrass does not use SnakeYaml directly. We import an old version of Jackson dataformat library, which uses SnakeYaml. Jackson is also not affected by this CVE. https://github.com/FasterXML/jackson-dataformats-text/issues/392

We will update Jackson library in our next Nucleus release.

AWS
yitingb
已回答 9 個月前
AWS
專家
MichaelDombrowski-AWS
已審閱 9 個月前
profile picture
專家
Gary Mclean
已審閱 9 個月前

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南

相關內容