Clone wiki

snakeyaml / CVE-2022-1471

Spring and CVE-2022-1471

There was yet another CVE reported recently. There is an issue in SnakeYAML

Spring developers did a nice job and long time ago they created a security airbag to be safe.

  1. Spring uses SafeConstructor as suggested in the CVE
  2. Spring uses the white list filter to only allow to create expected and configured classes

These 2 steps deliver a complete and reliable measure to feel safe.

What to do if your low quality tooling complains ?

  1. Go to the issue tracker of the low quality tooling and file a bug report about a false positive. You will be impressed with the amount of bugs already created and ignored (this makes the tool low quality - the bugs are created but ignored). The big amount of already reported issues should not stop you - they must be aware of the stream of false positives they produce.
  2. Go to your manager or security specialist and present this information. If you pay for the low quality tooling they cannot leave it unattended.
  3. Develop further and be happy !


all the above measures are totally redundant when you use YAML only as configuration for your Spring application because it comes from the trusted source.

Clarification: what is low quality tooling

  1. CVE and NIST are no low quality tooling. This is a source for the information for those who understands it (this is why the Bible was not allowed to be read by everyone, the one has to know some basics)
  2. CVE and NIST are the messenger (Don’t shoot the messenger)
  3. Low quality tooling is the one which fires a false report. It is a tool which pretends that it uses CVE to warn users. They ignore the most important part of CVE - the context. They create noise (false positives) based solely on the name and version of the library/package.
  4. The community should be aware that the low quality tooling is confusing on purpose. This is the way to show its importance to earn money.