Skip to main content
Skip table of contents

ISN-2023-18: SnakeYAML Vulnerability

First published 30 August 2023

CVSS 3.1: 6.3 (Medium)

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L

Summary

A vulnerability has been found in the Java package snakeYAML, which is used to parse YAML files. This affects the following IGEL products:

  • UMS
  • ICG

Details

A deserialization vulnerability has been discovered in SnakeYAML. It can lead to Remote Code Execution (RCE). However, in IGEL UMS and ICG it cannot be called remotely. Also, an attack on the local YAML file is mitigated by the fact that this is only writeable by root or a Windows system service. This is why IGEL is downgrading the severity of this issue, rated by NVD as critical, to medium for UMS and ICG.

Update Instructions

  • UMS: Update UMS to version 12.03.100 (scheduled for November 2023)
  • ICG: Update ICG to version 12.03.100 (scheduled for November 2023)

References

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.