resteasy-yaml-provider in JBoss EAP 7.4

Solution Verified - Updated 13 Jun 2024

Environment

Red Hat Enterprise Application Platform (EAP) 7.4
RESTEasy / resteasy-yaml-provider

Issue

resteasy-yaml-provider in JBoss EAP 7.4

Resolution

The SnakeYAML CVE-2022-1471 is fixed in EAP 7.4 Update 10+ , note that the resteasy-yaml-provider is not supported in EAP 7.4 as per the documentation:

The resteasy-yaml-provider module is not supported. Its use is not recommended due to a security issue in the SnakeYAML library used by RESTEasy for unmarshalling.

And the module classification, the org.yaml.snakeyaml are private modules, so the application should be packaging the SnakeYAML jar it wants to use.

If the resteasy-yaml-provider is been used, the application should package the SnakeYAML jar.

SBR

JBoss Base AS

Product(s)

Red Hat JBoss Enterprise Application Platform

Components

jbossas

Category

Learn more

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.