Vulnerability Name:

CVE-2022-25857 (CCN-234864)

Assigned:2022-05-01
Published:2022-05-01
Updated:2022-10-06
Summary:The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.
CVSS v3 Severity:7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
7.5 High (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
CVSS v2 Severity:7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Complete
Vulnerability Type:CWE-400
Vulnerability Consequences:Denial of Service
References:Source: MITRE
Type: CNA
CVE-2022-25857

Source: CONFIRM
Type: Patch, Third Party Advisory
N/A

Source: CONFIRM
Type: Exploit, Issue Tracking, Third Party Advisory
N/A

Source: XF
Type: UNKNOWN
java-snakeyaml-cve202225857-dos(234864)

Source: CCN
Type: snakeyaml GIT Repository
Restrict nested depth for collections to avoid DoS attacks

Source: CONFIRM
Type: Patch, Third Party Advisory
N/A

Source: MLIST
Type: Mailing List, Third Party Advisory
[debian-lts-announce] 20221002 [SECURITY] [DLA 3132-1] snakeyaml security update

Source: CCN
Type: SNYK-JAVA-ORGYAML-2806360
Denial of Service (DoS)

Source: CONFIRM
Type: Exploit, Patch, Third Party Advisory
N/A

Source: CCN
Type: IBM Security Bulletin 6828251 (Process Mining)
Vulnerability in SnakeYAML affects IBM Process Mining . CVE-2022-25857

Source: CCN
Type: IBM Security Bulletin 6831339 (Voice Gateway)
Multiple Vulnerabilities in java packages affect IBM Voice Gateway

Source: CCN
Type: IBM Security Bulletin 6837247 (App Connect Enterprise Certified Container)
IBM App Connect Enterprise Certified Container IntegrationServer operands that process yaml files may be vulnerable to denial of service due to CVE-2022-25857

Source: CCN
Type: IBM Security Bulletin 6840675 (Log Analysis)
Vulnerabilities in SnakeYAML used by Logstash affects IBM Operations Analytics - Log Analysis (CVE-2022-25857, CVE-2017-18640)

Source: CCN
Type: IBM Security Bulletin 6845796 (Business Automation Workflow containers)
Multiple security vulnerabilities in IBM Business Automation Workflow Event Emitters

Source: CCN
Type: IBM Security Bulletin 6846157 (Data Risk Manager)
IBM Data Risk Manager is affected by multiple vulnerabilities including remote code execution in Apache Commons Text 1.9

Source: CCN
Type: IBM Security Bulletin 6846257 (Cloud Transformation Advisor)
IBM Cloud Transformation Advisor is vulnerable to multiple vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6848023 (Planning Analytics Workspace)
IBM Planning Analytics Workspace is affected by vulnerabilties

Source: CCN
Type: IBM Security Bulletin 6848879 (i Modernization Engine for Lifecycle Integration)
IBM i Modernization Engine for Lifecycle Integration is vulnerable to multiple vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6849213 (App Connect Enterprise)
IBM App Connect Enterprise and IBM Integration Bus are vulnerable to denial of service due to the package org.yaml:snakeyaml and jackson-databind

Source: CCN
Type: IBM Security Bulletin 6854713 (Voice Gateway)
Multiple Vulnerabilities in Java and Node.js packages affect IBM Voice Gateway

Source: CCN
Type: IBM Security Bulletin 6890683 (Workload Scheduler)
IBM Workload Scheduler potentially affected by multiple vulnerabilities in Java package org.yaml:snakeyaml

Source: CCN
Type: IBM Security Bulletin 6909433 (Cloud Pak for Multicloud Management Monitoring)
IBM Cloud Pak for Multicloud Management is vulnerable to denial of service attacks due to snakeYAML

Source: CCN
Type: IBM Security Bulletin 6910171 (Integration Designer)
Multiple CVEs affect IBM Integration Designer

Source: CCN
Type: IBM Security Bulletin 6952185 (MQ)
IBM MQ Blockchain bridge is vulnerable to an issue identified in snakeyaml (CVE-2022-25857)

Source: CCN
Type: IBM Security Bulletin 6955579 (Sterling B2B Integrator)
IBM Sterling B2B Integrator vulnerable to multiple issues due to SnakeYAML

Source: CCN
Type: IBM Security Bulletin 6958062 (Cloud Pak for Business Automation)
Security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for Febuary 2023

Source: CCN
Type: IBM Security Bulletin 6958693 (Business Automation Workflow traditional)
Multiple security vulnerabilities are reported for snakeyaml and jackson-databind in IBM Business Automation Workflow

Source: CCN
Type: IBM Security Bulletin 6967012 (Cloud Pak for Watson AIOps)
Multiple Vulnerabilities in CloudPak for Watson AIOPs

Source: CCN
Type: IBM Security Bulletin 6967183 (Cloud Pak System Software Suite)
Multiple vulnerabilities in Open Source software used by Cloud Pak System

Source: CCN
Type: IBM Security Bulletin 6969753 (Log Analysis)
Multiple Vulnerabilities related to SnakeYAML in Logstash shipped with IBM Operations Analytics - Log Analysis

Source: CCN
Type: IBM Security Bulletin 6985689 (Db2 Graph)
Multiple vulnerabilities affect IBM Db2 Graph

Source: CCN
Type: IBM Security Bulletin 6987499 (Business Automation Workflow traditional)
Multiple vulnerabilities in DITA may affect IBM Business Automation Workflow and IBM Case Manager

Source: CCN
Type: IBM Security Bulletin 6988677 (InfoSphere Information Server)
IBM InfoSphere Information Server is affected but not classified as vulnerable to multiple vulnerabilities in snakeYAML

Source: CCN
Type: IBM Security Bulletin 7002485 (Watson Discovery)
IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in SnakeYAML

Source: CCN
Type: IBM Security Bulletin 7008449 (Db2 on Cloud Pak for Data)
Multiple vulnerabilities affect IBM Db2 on Cloud Pak for Data and Db2 Warehouse on Cloud Pak for Data

Source: CCN
Type: Mend Vulnerability Database
CVE-2022-25857

Vulnerable Configuration:Configuration 1:
  • cpe:/a:snakeyaml_project:snakeyaml:*:*:*:*:*:*:*:* (Version < 1.31)

    • Configuration 2:
  • cpe:/o:debian:debian_linux:10.0:*:*:*:*:*:*:*

    • Configuration RedHat 1:
  • cpe:/a:redhat:enterprise_linux:8:*:*:*:*:*:*:*

    • Configuration RedHat 2:
  • cpe:/a:redhat:enterprise_linux:8::appstream:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:snakeyaml_project:snakeyaml:1.30:*:*:*:*:*:*:*
  • AND
  • cpe:/a:sun:java:*:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:infosphere_information_server:11.7:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect:11.0.0.1:*:*:*:enterprise:*:*:*
  • OR cpe:/a:ibm:sterling_b2b_integrator:6.0.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:voice_gateway:1.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:voice_gateway:1.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_transformation_advisor:2.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:voice_gateway:1.0.2.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:voice_gateway:1.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:voice_gateway:1.0.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:log_analysis:1.3.5.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:log_analysis:1.3.6.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:log_analysis:1.3.6.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:voice_gateway:1.0.6:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:sterling_b2b_integrator:6.1.0.0:*:*:*:standard:*:*:*
  • OR cpe:/a:ibm:integration_designer:20.0.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:voice_gateway:1.0.7:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:workload_scheduler:9.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise:12.0.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:planning_analytics_workspace:2.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:business_automation_workflow:20.0.0.1:-:*:*:containers:*:*:*
  • OR cpe:/a:ibm:business_automation_workflow:20.0.0.1:*:*:*:traditional:*:*:*
  • OR cpe:/a:ibm:business_automation_workflow:20.0.0.2:*:*:*:traditional:*:*:*
  • OR cpe:/a:ibm:business_automation_workflow:21.0.1:*:*:*:traditional:*:*:*
  • OR cpe:/a:ibm:business_automation_workflow:21.0.2:*:*:*:traditional:*:*:*
  • OR cpe:/a:ibm:business_automation_workflow:21.0.3:*:*:*:traditional:*:*:*
  • OR cpe:/a:ibm:business_automation_workflow:20.0.0.2:-:*:*:containers:*:*:*
  • OR cpe:/a:ibm:business_automation_workflow:21.0.3:-:*:*:containers:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:18.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:18.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:19.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:19.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:20.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:20.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:21.0.1:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:21.0.2:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:21.0.3:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:business_automation_workflow:21.0.2:-:*:*:containers:*:*:*
  • OR cpe:/a:ibm:case_manager:5.3.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:4.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:4.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:business_automation_workflow:22.0.1:-:*:*:containers:*:*:*
  • OR cpe:/a:ibm:business_automation_workflow:22.0.1:*:*:*:traditional:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:22.0.1:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:business_automation_workflow:21.0.3.1:*:*:*:traditional:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:5.0:*:*:*:lts:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:5.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:5.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise:11.0.0.19:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:integration_bus:10.0.0.12:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:sterling_b2b_integrator:6.1.2.0:*:*:*:standard:*:*:*
  • OR cpe:/a:ibm:business_automation_workflow:22.0.2:*:*:*:traditional:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:22.0.2:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:sterling_b2b_integrator:6.0.3.7:*:*:*:standard:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:8065
    P
    		snakeyaml-1.33-150200.3.12.4 on GA media (Moderate)
    2023-06-20
    oval:com.redhat.rhsa:def:20226820
    P
    		RHSA-2022:6820: prometheus-jmx-exporter security update (Moderate)
    2022-10-20
    oval:org.opensuse.security:def:780
    P
    		Security update for snakeyaml (Important)
    2022-09-26
    BACK
    snakeyaml_project snakeyaml *
    debian debian linux 10.0
    snakeyaml_project snakeyaml 1.30
    sun java *
    ibm infosphere information server 11.7
    ibm app connect 11.0.0.1
    ibm sterling b2b integrator 6.0.0.0
    ibm voice gateway 1.0.2
    ibm voice gateway 1.0.3
    ibm cloud transformation advisor 2.0.1
    ibm voice gateway 1.0.2.4
    ibm voice gateway 1.0.4
    ibm voice gateway 1.0.5
    ibm log analysis 1.3.5.3
    ibm log analysis 1.3.6.0
    ibm log analysis 1.3.6.1
    ibm voice gateway 1.0.6
    ibm sterling b2b integrator 6.1.0.0
    ibm integration designer 20.0.0.2
    ibm voice gateway 1.0.7
    ibm workload scheduler 9.5
    ibm app connect enterprise 12.0.1.0
    ibm planning analytics workspace 2.0
    ibm business automation workflow 20.0.0.1 -
    ibm business automation workflow 20.0.0.1
    ibm business automation workflow 20.0.0.2
    ibm business automation workflow 21.0.1
    ibm business automation workflow 21.0.2
    ibm business automation workflow 21.0.3
    ibm business automation workflow 20.0.0.2 -
    ibm business automation workflow 21.0.3 -
    ibm cloud pak for business automation 18.0.0
    ibm cloud pak for business automation 18.0.2
    ibm cloud pak for business automation 19.0.1
    ibm cloud pak for business automation 19.0.3
    ibm cloud pak for business automation 20.0.1
    ibm cloud pak for business automation 20.0.3
    ibm cloud pak for business automation 21.0.1 -
    ibm cloud pak for business automation 21.0.2 -
    ibm cloud pak for business automation 21.0.3 -
    ibm business automation workflow 21.0.2 -
    ibm case manager 5.3.3
    ibm app connect enterprise certified container 4.1
    ibm app connect enterprise certified container 4.2
    ibm business automation workflow 22.0.1 -
    ibm business automation workflow 22.0.1
    ibm cloud pak for business automation 22.0.1 -
    ibm business automation workflow 21.0.3.1
    ibm app connect enterprise certified container 5.0
    ibm app connect enterprise certified container 5.1
    ibm app connect enterprise certified container 5.2
    ibm app connect enterprise 11.0.0.19
    ibm integration bus 10.0.0.12
    ibm sterling b2b integrator 6.1.2.0
    ibm business automation workflow 22.0.2
    ibm cloud pak for business automation 22.0.2 -
    ibm sterling b2b integrator 6.0.3.7