Summary of Chemaxon Actions:
Chemaxon architects and engineering teams are actively investigating the vulnerabilities CVE-2022-1471 (Deserialization can cause arbitrary code execution in SnakeYaml) potential exploits. We are committed to watching over our clients for exposure and associated attacks and are taking action with approved mitigation efforts. We are continuing to monitor our own infrastructure and products as more information becomes available.
What does this vulnerability affect?
SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution.
Chemaxon’s applications inherited this library through Spring, where it is used to parse configuration files. As none of our products accepts YAML as user input the only way this vulnerability can be exploited is by providing malicious configuration to our applications.
The use of YAML configuration files can be completely omitted by our customers, and we also always urge you to protect your configurations by restricting write access to the files for the system administrators.
According to the nature of our use case we consider this vulnerability to have very low likelihood of impact on our affected products. However we still plan to update this library as soon as an one is available.
Our affected products are:
- Compliance Checker
- Compound Registration
- JChem Choral
- JChem MicroServices
- MarvinJS WebServices
- Plexus Connect
Resources:
https://nvd.nist.gov/vuln/detail/CVE-2022-1471
Related content
Certara Completes Acquisition of Chemaxon
The combined organization offers life sciences companies predictive biosimulation and scientific...
Certara to Acquire Chemaxon to Strengthen Drug Discovery Software Portfolio
We are excited to share the official announcement of Certara, our partner for over a decade, as...
Roadblocks of DMTA project success - and how to eliminate them
Discover how to navigate complex challenges in your DMTA projects - make informed compound...
"Make the company look like I won the lottery"
This article was originally published in Hungarian, in November 2023. Visit Publication Chemaxon...