[MGW][3.2.x] Fix CVE-2022-1471 Vulnerability

Question

[MGW][3.2.x] Fix CVE-2022-1471 Vulnerability

npamudika opened this issue 2 years ago · 2 comments

Problem

CVE-2022-1471 vulnerability is reported in Microgateway runtime.
This is due to org.yaml:snakeyaml 1.32 version which is coming from jmx_prometheus_javaagent-0.17.2.jar included in the Microgateway runtime.

Solution

Upgrades jmx_prometheus_javaagent to the latest version 0.18.0.

Implementation

No response

Related Issues

No response

Suggested Labels

No response

Answer 1 · 2023-05-17T07:24:07.000Z

Hi ,
It's so good that we are inquiring how to fix this issue and see your solution!
But in the toolkit file (wso2am-micro-gw-toolkit-linux-3.2.7.zip) also have the same issue, the snakeyaml version is 1.32(<=1.33), can you double check and upgrade jmx_prometheus_javaagent to the latest version [0.18.0] again ?

Thank you so much.

Answer 2 · 2023-05-18T10:08:41.000Z

Hi @mxh10,

Thanks for the suggestions. We have upgraded the snakeyaml version in the MGW Toolkit 3.2.0 via a U2 update by upgrading the Ballerina version used in it. Please take the latest U2 level of the MGW Toolkit 3.2.0 for the updated pack.

Upgrading jmx_prometheus_javaagent to 0.18.0 version upgraded the snakeyaml version used in the MGW Runtime 3.2.0 only. The fixes are there in the MGW Runtime 3.2.7 patch release.

Thanks,
Naduni