ISN-2023-18: SnakeYAML Vulnerability

First published 30 August 2023

CVSS 3.1: 6.3 (Medium)

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L

Summary

A vulnerability has been found in the Java package snakeYAML, which is used to parse YAML files. This affects the following IGEL products:

UMS
ICG

Details

A deserialization vulnerability has been discovered in SnakeYAML. It can lead to Remote Code Execution (RCE). However, in IGEL UMS and ICG it cannot be called remotely. Also, an attack on the local YAML file is mitigated by the fact that this is only writeable by root or a Windows system service. This is why IGEL is downgrading the severity of this issue, rated by NVD as critical, to medium for UMS and ICG.

Update Instructions

UMS: Update UMS to version 12.03.100 (scheduled for November 2023)
ICG: Update ICG to version 12.03.100 (scheduled for November 2023)

References

CVE-2022-1471: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1471
NVD, CVE-2022-1471: https://nvd.nist.gov/vuln/detail/CVE-2022-1471

Download PDF

ISN-2023-18: SnakeYAML Vulnerability

Summary

Details

Update Instructions

References

Cookie Notice