ISN-2023-18: SnakeYAML Vulnerability

First published 30 August 2023

CVSS 3.1: 6.3 (Medium)

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L

Summary

A vulnerability has been found in the Java package snakeYAML, which is used to parse YAML files. This affects the following IGEL products:

• UMS
• ICG

Details

A deserialization vulnerability has been discovered in SnakeYAML. It can lead to Remote Code Execution (RCE). However, in IGEL UMS and ICG it cannot be called remotely. Also, an attack on the local YAML file is mitigated by the fact that this is only writeable by root or a Windows system service. This is why IGEL is downgrading the severity of this issue, rated by NVD as critical, to medium for UMS and ICG.

Update Instructions

• UMS: Update UMS to version 12.03.100 (scheduled for November 2023)
• ICG: Update ICG to version 12.03.100 (scheduled for November 2023)

References

• CVE-2022-1471: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1471
• NVD, CVE-2022-1471: https://nvd.nist.gov/vuln/detail/CVE-2022-1471