CVE-2022-1471
Deserialization of Untrusted Data vulnerability in org.yaml:snakeyaml

What is CVE-2022-1471 About?

SnakeYaml's `Constructor` class permits deserialization of arbitrary types, enabling Remote Code Execution (RCE) even when type checks are enabled. This vulnerability allows an attacker to supply a malicious YAML payload that executes arbitrary code upon deserialization, despite the target class's property types. Exploitation is severe and relatively easy if an attacker can provide untrusted YAML input.

Affected Software

Technical Details

The `org.yaml.snakeyaml.constructor.Constructor` class in SnakeYaml, which inherits from `SafeConstructor`, suffers from a critical deserialization vulnerability. Despite being initialized with a specific target class (e.g., `new Constructor(TestDataClass.class)`), the `Constructor` allows the deserialization of arbitrary types specified within the YAML payload itself, via explicit YAML tags like `!!javax.script.ScriptEngineManager`. This bypasses intended type safety checks. An attacker can craft a YAML document containing a malicious object graph that, when deserialized, triggers the instantiation of dangerous classes and methods (a gadget chain). While a `ConstructorException` may eventually be thrown due to type mismatches between the YAML content and the target Java class's properties, the malicious payload's constructor or other methods are often called *before* the exception is thrown, leading to successful Remote Code Execution. The `payload` property in the proof of concept demonstrates injecting a `javax.script.ScriptEngineManager` to execute system commands, such as making an HTTP request.

What is the Impact of CVE-2022-1471?

Successful exploitation may allow attackers to achieve remote code execution, leading to complete system compromise, data theft, or denial of service.

What is the Exploitability of CVE-2022-1471?

Exploitation of this Deserialization of Untrusted Data vulnerability is of medium complexity, primarily requiring the ability to provide untrusted YAML content to an application that uses SnakeYaml's `Constructor` directly. There are typically no specific authentication or privilege requirements beyond the ability to submit the malicious YAML. This is a remote vulnerability, commonly exploited through APIs that accept YAML input. The critical prerequisite is that the application uses `new Yaml(new Constructor(SomeClass.class)).load(yamlContent)` or a similar pattern, and processes YAML from untrusted sources. The attacker needs to identify suitable gadget chains present in the application's classpath for RCE. Risk factors include web services and applications that use SnakeYaml for configuration loading or data exchange from external, untrusted parties without employing stricter `SafeConstructor` configurations or explicit type filtering.

What are the Known Public Exploits?

What are the Available Fixes for CVE-2022-1471?

Available Upgrade Options

• org.yaml:snakeyaml
  • <2.0 → Upgrade to 2.0

Additional Resources

• https://security.netapp.com/advisory/ntap-20240621-0006
• https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true
• https://security.netapp.com/advisory/ntap-20230818-0015/
• http://www.openwall.com/lists/oss-security/2023/11/19/1
• https://bitbucket.org/snakeyaml/snakeyaml/commits/acc44099f5f4af26ff86b4e4e4cc1c874e2dc5c4
• https://security.netapp.com/advisory/ntap-20240621-0006/
• http://www.openwall.com/lists/oss-security/2023/11/19/1
• https://confluence.atlassian.com/security/cve-2022-1471-snakeyaml-library-rce-vulnerability-in-multiple-products-1296171009.html
• https://bitbucket.org/snakeyaml/snakeyaml
• https://groups.google.com/g/kubernetes-security-announce/c/mwrakFaEdnc

What are Similar Vulnerabilities to CVE-2022-1471?

Similar Vulnerabilities: CVE-2017-15095 , CVE-2017-7525 , CVE-2020-2521 , CVE-2019-14439 , CVE-2017-10356