70 Release Notes
CWL security fix #6510
Fixed an issue that could allow submission of an untrusted CWL file to initiate remote code execution. The vector was improper deserialization of the YAML source file.
CWL execution is enabled by default unless a CWL stanza is present in the configuration that specifies enabled: false. Cromwell instances with CWL disabled were not affected. Consequently, users who wish to mitigate the vulnerability without upgrading Cromwell may do so via this config change.
- Thank you to Bruno P. Kinoshita who first found the issue in a different CWL project (CVE-2021-41110) and Michael R. Crusoe who suggested we investigate ours.