CVE-2016-8744: Apache Brooklyn, SnakeYAML configuration potentially allows remote code execution Severity: Major Vendor: The Apache Software Foundation Versions Affected: Apache Brooklyn 0.9.0 and all prior versions Description: Apache Brooklyn uses the SnakeYAML library for parsing YAML inputs. SnakeYAML allows the use of YAML tags to indicate that SnakeYAML should unmarshal data to a Java type. In the default configuration, SnakeYAML will allow unmarshalling to any Java type available on the classpath. This could provide an authenticated user with a means to cause the JVM running Brooklyn to load and run Java code without detection by Brooklyn. Such code would have the privileges of the Java process running Brooklyn, including the ability to open files and network connections, and execute system commands. There is known to be a proof-of-concept exploit using this vulnerability. Solution: Upgrade to Apache Brooklyn 0.10.0. This changes the SnakeYAML configuration to limit unmarshalling to a white list of safe, basic Java types. This change blocks YAML document inputs that use unsafe Java types. Temporary Mitigation: Ensure your Apache Brooklyn instance is properly secured so that untrusted users cannot access Brooklyn's API. User authentication should be configured with strong passwords, and access limited to known trusted individuals. Configure SSL/TLS. Installations of Apache Brooklyn should not be exposed to the Internet without considering the security implications. Example Exploit: Consider this fragment of YAML: Credit: This issue was discovered by Moritz Bechler of AgNO3 GmbH & Co. KG. References: http://www.apache.org/security/index.html