I'm using ES version 5.6.X, and I would like to change snakeyaml package version to the one with the fix to CVE-2022-1471 - Meaning, I need to change the package version from 1.33 (I guess..) to 2.0 .
How can I do that?
Should it be in my DockerFile? Or in elasticsearch.yml file?
Elasticsearch 5 is very old and is no longer maintained.
We have never tested running Elasticsearch 5.6 with any version of SnakeYaml other than the one that it shipped with. It might work, but there are no guarantees.
If you care about resolving vulnerabilities then you need to migrate to a maintained version of Elasticsearch. No one is patching vulnerabilities in Elasticsearch 5 (or 6) anymore.
Elasticsearch 5.6 is EOL and no longer supported. Please upgrade ASAP.
(This is an automated response from your friendly Elastic bot. Please report this post if you have any suggestions or concerns 
)
Note that this version of snakeyaml is also a dependency of org.elasticsearch:elasticsearch-x-content:jar:7.17.9.
See also the output of grype:
For 7.17.9:
# wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.17.9-linux-x86_64.tar.gz
...
# grype elasticsearch-7.17.9-linux-x86_64.tar.gz
โ Vulnerability DB [no update available]
New version of grype is available: 0.59.1 (currently running: 0.57.1)
โ Indexed /private/var/folders/yv/r54c6ptj6vz1s1937pc7v4mc0000gn/T/syft-archive-contents-4151449920
โ Cataloged packages [286 packages]
โ Scanned image [34 vulnerabilities]
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
...
snakeyaml 1.33 2.0 java-archive GHSA-mjmj-j48q-9wg2 High
...
For 8.6.2:
# wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-8.6.2-linux-x86_64.tar.gz
...
# grype elasticsearch-8.6.2-linux-x86_64.tar.gz
โ Vulnerability DB [no update available]
New version of grype is available: 0.59.1 (currently running: 0.57.1)
โ Indexed /private/var/folders/yv/r54c6ptj6vz1s1937pc7v4mc0000gn/T/syft-archive-contents-86995759
โ Cataloged packages [516 packages]
โ Scanned image [71 vulnerabilities]
NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY
...
snakeyaml 1.33 2.0 java-archive GHSA-mjmj-j48q-9wg2 High
...
SnakeYaml Constructor Deserialization Remote Code Execution ยท CVE-2022-1471 ยท GitHub Advisory Database ยท GitHub listed by grype is about the mentioned CVE-2022-1471
Thanks @frens !
So it seems like this CVE still exists in latest ES version 
I've posted a new topic on that - mainly to understand the plan to fix it, and how I can change this package version manually.
We would rather not discuss potential security issues here. Please see this page for more information on the proper process to raise such issues:
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
ยฉ 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.