Update to SnakeYAML 1.26 to address CVE-2017-18640

[joschi]

SnakeYAML < 1.26 is vulnerable to a Billion Laughs attack (denial of service).

The issue has been tracked in asomov/snakeyaml#377 and been published in CVE-2017-18640.

References:

• https://cwe.mitre.org/data/definitions/776.html
• https://nvd.nist.gov/vuln/detail/CVE-2017-18640
• https://bitbucket.org/asomov/snakeyaml/issues/377
• update snakeyaml to 1.26+ to address security vulnerability CVE-2017-18640 dropwizard/dropwizard#3223

[cowtowncoder]

Updated for 2.10(.4); backported in 2.9 branch but uncertain whether there will be any releases (if so, 2.9.10.1 or 2.9.11)

[joschi]

@cowtowncoder Thanks for your swift reaction!

[cowtowncoder]

No prob, thank you for bringing this CVE to our attention.

[nandakishorkn]

Even after this commit, I still see SnakeYAML 1.23 is getting pulled via DropWizard 1.3.22.

From dropwizard-bom-1.3.22.pom, I see it is correctly pointing to SnakeYAML 1.26 but SnakeYAML 1.23 is getting pulled via DropWizard 1.3.22
https://repo1.maven.org/maven2/io/dropwizard/dropwizard-bom/1.3.22/dropwizard-bom-1.3.22.pom

[joschi]

@nandakishorkn I'm unable to reproduce this with a new project (generated using the Dropwizard Maven archetype). Maybe you or a dependency in your project overrides the version of SnakeYAML?

Please create an issue at https://github.com/dropwizard/dropwizard/issues with a minimal project to reproduce your issue if you cannot find the reason.

Here's the example:

mvn archetype:generate -DarchetypeGroupId=io.dropwizard.archetypes -DarchetypeArtifactId=java-simple -DarchetypeVersion=1.3.22
[INFO] Scanning for projects...
[INFO]
[INFO] ------------------< org.apache.maven:standalone-pom >-------------------
[INFO] Building Maven Stub Project (No POM) 1
[INFO] --------------------------------[ pom ]---------------------------------
[INFO]
[INFO] >>> maven-archetype-plugin:3.1.2:generate (default-cli) > generate-sources @ standalone-pom >>>
[INFO]
[INFO] <<< maven-archetype-plugin:3.1.2:generate (default-cli) < generate-sources @ standalone-pom <<<
[INFO]
[INFO]
[INFO] --- maven-archetype-plugin:3.1.2:generate (default-cli) @ standalone-pom ---
[INFO] Generating project in Interactive mode
[WARNING] No archetype found in remote catalog. Defaulting to internal catalog
[INFO] Archetype repository not defined. Using the one from [io.dropwizard.archetypes:java-simple:2.0.99-SNAPSHOT] found in catalog local
Downloading from instana-private: https://artifact.instana.io/artifactory/instana-private/io/dropwizard/archetypes/java-simple/1.3.22/java-simple-1.3.22.pom
Downloaded from instana-private: https://artifact.instana.io/artifactory/instana-private/io/dropwizard/archetypes/java-simple/1.3.22/java-simple-1.3.22.pom (1.8 kB at 2.3 kB/s)
Downloading from instana-private: https://artifact.instana.io/artifactory/instana-private/io/dropwizard/archetypes/dropwizard-archetypes/1.3.22/dropwizard-archetypes-1.3.22.pom
Downloaded from instana-private: https://artifact.instana.io/artifactory/instana-private/io/dropwizard/archetypes/dropwizard-archetypes/1.3.22/dropwizard-archetypes-1.3.22.pom (6.3 kB at 7.7 kB/s)
Downloading from instana-private: https://artifact.instana.io/artifactory/instana-private/io/dropwizard/dropwizard-parent/1.3.22/dropwizard-parent-1.3.22.pom
Downloaded from instana-private: https://artifact.instana.io/artifactory/instana-private/io/dropwizard/dropwizard-parent/1.3.22/dropwizard-parent-1.3.22.pom (29 kB at 34 kB/s)
Downloading from instana-private: https://artifact.instana.io/artifactory/instana-private/io/dropwizard/dropwizard-bom/1.3.22/dropwizard-bom-1.3.22.pom
Downloaded from instana-private: https://artifact.instana.io/artifactory/instana-private/io/dropwizard/dropwizard-bom/1.3.22/dropwizard-bom-1.3.22.pom (32 kB at 30 kB/s)
Downloading from instana-private: https://artifact.instana.io/artifactory/instana-private/io/dropwizard/archetypes/java-simple/1.3.22/java-simple-1.3.22.jar
Downloaded from instana-private: https://artifact.instana.io/artifactory/instana-private/io/dropwizard/archetypes/java-simple/1.3.22/java-simple-1.3.22.jar (3.7 kB at 3.4 kB/s)
Define value for property 'groupId': test
Define value for property 'artifactId': test
Define value for property 'version' 1.0-SNAPSHOT: :
Define value for property 'package' test: :
[INFO] Using property: description = null
Define value for property 'name': Test
[INFO] Using property: shaded = true
Confirm properties configuration:
groupId: test
artifactId: test
version: 1.0-SNAPSHOT
package: test
description: null
name: Test
shaded: true
 Y: : y
[INFO] ----------------------------------------------------------------------------
[INFO] Using following parameters for creating project from Archetype: java-simple:1.3.22
[INFO] ----------------------------------------------------------------------------
[INFO] Parameter: groupId, Value: test
[INFO] Parameter: artifactId, Value: test
[INFO] Parameter: version, Value: 1.0-SNAPSHOT
[INFO] Parameter: package, Value: test
[INFO] Parameter: packageInPathFormat, Value: test
[INFO] Parameter: package, Value: test
[INFO] Parameter: version, Value: 1.0-SNAPSHOT
[INFO] Parameter: name, Value: Test
[INFO] Parameter: groupId, Value: test
[INFO] Parameter: description, Value: null
[INFO] Parameter: shaded, Value: true
[INFO] Parameter: artifactId, Value: test
[INFO] Project created from Archetype in dir: /Users/joschi/tmp/test
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  31.014 s
[INFO] Finished at: 2020-04-09T13:56:30+02:00
[INFO] ------------------------------------------------------------------------

# mvn -f test/pom.xml dependency:list | grep -i snakeyaml
[INFO]    org.yaml:snakeyaml:jar:1.26:compile