Which version of elasticsearch solve the CVE-2022-1471(snakeyaml need bump to 2.0 version)

I have a question :
the elasticsearch that I use now( version 7.11.2) has CVE-2022-1471 (about snakeyaml), which version of elasticsearch solve this problem ? (As I know, snakeyaml need bump to 2.0 version which solve the CVE-2022-1471 ) ,

or can anybody provide some solution idea?

Hi @DeBruyne2020,

Welcome! I suggest looking at the security announcement here for the details. It states that in general, Elasticsearch does not use Snakeyaml to parse YAML, but does note that it was removed as a direct dependency in v8.3.0 and the transitive dependency was upgraded to snakeyaml 2.0 in v8.8.0:

In 8.3.0 and onwards, snakeyaml has been removed as a direct dependency in "Remove direct snakeyaml dependency from launcher tools" and switched to using X-Content , which is backed by jackson-dataformats-text . Snakeyaml is bundled in Elasticsearch only as a transitive dependency of jackson-dataformats-text but jackson-dataformats-text does not use snakeyaml for YAML parsing either, but uses other parts of the library in a supportive fashion. The developers of jackson-dataformats-text attest that their YAML parsing is not in any way affected by CVE-2022-1471.

In 8.8.0 and onwards, this transitive snakeyaml dependency has nevertheless been upgraded to 2.0, as part of Elastic standard maintenance efforts.

Hope that helps!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.