Elasticsearch Security Statement regarding CVE-2022-1471

Elasticsearch is not affected by this issue.

Elasticsearch is not affected by the issue described in CVE-2022-1471 as, in general, it does not use Snakeyaml to parse YAML.


Elasticsearch supports YAML as a format for search queries, and it also uses YAML for its configuration files (i.e. elasticsearch.yml). However, Elasticsearch's YAML parsing is implemented in the X-Content plugin which uses jackson-dataformats-text and NOT Snakeyaml directly.

Additional Details

Elasticsearch has only ever used Snakeyaml directly for YAML parsing in the case of the Machine Dependent Heap Size calculations. This was introduced as a feature in 7.12 in [7.x] Autodetermine heap settings based on node roles and total system memory and while it originally (for a short period) used the unsafe constructor until it was changed in Tweak constructor for yaml parser in 7.13.0 onwards. That change also introduced the inclusion of the unsafe constructor as a forbidden method so that it could not be used anywhere in the Elasticsearch code base, even accidentally. It is also worth noting that Elasticsearch 8.x was never even released with the unsafe constructor as Tweak constructor for yaml parser was merged in 8.0.0-alpha so all 8.0.0 and later versions only ever used the safe constructor. Worth noting that even in this case, the YAML parsing was restricted to the elasticsearch.yml file and any exploitation attempt would require very high existing privileges (Write access to Elasticsearch's node filesystem).

In 8.3.0 and onwards, snakeyaml has been removed as a direct dependency in "Remove direct snakeyaml dependency from launcher tools" and switched to using X-Content , which is backed by jackson-dataformats-text. Snakeyaml is bundled in Elasticsearch only as a transitive dependency of jackson-dataformats-text but jackson-dataformats-text does not use snakeyaml for YAML parsing either, but uses other parts of the library in a supportive fashion. The developers of jackson-dataformats-text attest that their YAML parsing is not in any way affected by CVE-2022-1471.

In 8.8.0 and onwards, this transitive snakeyaml dependency has nevertheless been upgraded to 2.0, as part of Elastic standard maintenance efforts.