Andy Coates

Andy Coates

Software engineer with a passion for building working, scalable, systems

1 minute read

The v0.3.1 patch release of Creek is now publicly available on Maven Central.

This small patch contains a few dependency updates to fix some security vulnerabilities in dependencies. Nothing really worth calling out as being fixed, as its mostly stuff that wouldn’t affect their use in Creek.

However, I will call out a few of the remaining ‘vulnerabilities’ in Creek dependencies.

Snake YAML’s Deserialization of Untrusted Data

See CVE-2022-1471 & GHSA-mjmj-j48q-9wg2.

At the time of writing, this was marked with High / Critical priority. However, if you read up on the vulnerability, you’ll see the vulnerability is that the deserializer allows instantiation or arbitrary types, and this can lead to remote code execution if you’re parsing YAML from an untrustworthy source, e.g. text submitted from a form on a website.

This is not an issue for Creek, as all YAML being deserialized is from a trusted source, i.e. you, the user, running Creek system tests written in YAML.

SnakeYaml isn’t used directly by Creek. Creek makes use of it via Jackson. Fixing this (none) issue in Creek is not currently possible.

Jackson core’s Uncontrolled Resource Consumption

See sonatype-2022-6438.

At the time of writing, this is marked with High priority. However, if you read up on this vulnerability, this is also about parsing data from untrustworthy source.

This is not an issue for Creek, as all data being deserialized is from a trusted source, i.e. you, the user, running Creek system tests written in YAML.

There is already a fix in Jackson. Creek will update to 2.15.0 of Jackson when it is released.

Kafka Stream’s divide by zero

See sonatype-2019-0422

This seems to be a vulnerability detected by SonaType OSS Index scanning a PR that fixed a potential divide-by-zero issue. The PR was never merged, hence the vulnerability report. However, from the PR comments it looks as though this issue is unlikely, or even impossible, to be hit.

An issue has been raised to track a potential fix.
Creek will be updated should a fix become available.

Sign off

As for continuing work on Creek: my focus is currently elsewhere for the next month or two, but I will get to those tutorials soon, and will post when I do!