Summary of Chemaxon Actions:

Chemaxon architects and engineering teams are actively investigating the vulnerabilities CVE-2022-1471 (Deserialization can cause arbitrary code execution in SnakeYaml) potential exploits. We are committed to watching over our clients for exposure and associated attacks and are taking action with approved mitigation efforts. We are continuing to monitor our own infrastructure and products as more information becomes available.

What does this vulnerability affect?

CVE-2022-1471:

SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution.

Chemaxon’s applications inherited this library through Spring, where it is used to parse configuration files. As none of our products accepts YAML as user input the only way this vulnerability can be exploited is by providing malicious configuration to our applications.

The use of YAML configuration files can be completely omitted by our customers, and we also always urge you to protect your configurations by restricting write access to the files for the system administrators.

According to the nature of our use case we consider this vulnerability to have very low likelihood of impact on our affected products. However we still plan to update this library as soon as an one is available.

Our affected products are:

• Compliance Checker
• Compound Registration
• JChem Choral
• JChem MicroServices
• MarvinJS WebServices
• Plexus Connect

Resources:

https://nvd.nist.gov/vuln/detail/CVE-2022-1471