Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump snakeyaml to eliminate known vulnerability #605

Closed
Boojapho opened this issue May 27, 2021 · 1 comment
Closed

Bump snakeyaml to eliminate known vulnerability #605

Boojapho opened this issue May 27, 2021 · 1 comment

Comments

@Boojapho
Copy link

The current version in jmx_exporter is 1.2.3: https://github.com/prometheus/jmx_exporter/blob/master/collector/pom.xml#L32
The vulnerability in this version is https://nvd.nist.gov/vuln/detail/CVE-2017-18640

If you bump the version to snakeyaml 1.2.6 (or the latest 1.2.8), you can eliminate this vulnerability.
@fstab
Copy link
Member

fstab commented May 27, 2021

True, but as the comment in the pom.xml says:

<version>1.23</version> <!-- updating this breaks Java 6 compatibility -->

The vulnerability is for cases where the yaml file comes from an untrusted source. In case of the jmx_exporter you will certainly write and deploy the yaml yourself, so the CVE doesn't really apply here.

There are plans for providing a default release for Java >= 8 and a separate jdk6 release, because this CVE seems to pop up regularly in user's security scan, see #592

@fstab fstab closed this as completed May 27, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@fstab @Boojapho