CVE-2021-41110 Vulnerability announcement (with fix) for the service that powers view.commonwl.org

[Michael R. Crusoe]

If you are running your own instance of view.commonwl.org, or if you use snakeyaml (but not snakeyaml-engine) to parse CWL/YAML files, then please review the following security vulnerability announcement and take appropriate action.

The cwljava library uses snakeyaml-engine, so it does not appear to be vulnerable.

CWL Viewer: deserialization of untrusted data can lead to complete takeover by an attacker

Full details: https://github.com/common-workflow-language/cwlviewer/security/advisories/GHSA-7g7j-f5g3-fqp7

CVSS Score

9.1 Critical

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Impact

What kind of vulnerability is it? Deserialization of Untrusted Data

Who is impacted? Anyone running cwlviewer older than f6066f0 (dated 2021-09-30)

Patches

Patched in f6066f0

The instance at https://view.commonwl.org has been updated as well

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading? No. The SnakeYaml constructor, by default, allows any data to be parsed. To fix the issue the object needs to be created with a SafeConstructor object, as seen in the patch.

References

Are there any links users can visit to find out more? Analysis of the SnakeYaml deserialization in Java Security

For more information

If you have any questions or comments about this advisory:

• Open an issue in https://github.com/common-workflow-language/cwlviewer/issues
• Email us at secu...@commonwl.org

Credit: Bruno P. Kinoshita (@kinow)for discovering and fixing this vulnerability.