RCE vulnerability in Hyperledger Fabric SDK for Java

[Hyperledger Fabric SDK for Java version 2.0.0](https://github.com/hyperledger/fabric-sdk-java/tree/v2.0.0) and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability. In the following source code files and corresponding line number, an arbitrary file gets parsed by SnakeYAML which allows to construct a Java object of any type, leading to remote code execution. - fabric-sdk-java/src/main/java/org/hyperledger/fabric/sdk/ChaincodeCollectionConfiguration.java line 121 - fabric-sdk-java/src/main/java/org/hyperledger/fabric/sdk/NetworkConfig.java line 301 - fabric-sdk-java/src/main/java/org/hyperledger/fabric/sdk/ChaincodeEndorsementPolicy.java line 241 and 262 - fabric-sdk-java/src/main/java/org/hyperledger/fabric/sdk/LifecycleChaincodeEndorsementPolicy.java line 228 Objects should be limited such as limiting to standard Java objects like List or Long by using SafeConstructor. ``` Yaml yaml = new Yaml(new SafeConstructor()); ``` More info on Snake YAML can be found on the following url: https://bitbucket.org/asomov/snakeyaml/wiki/Documentation#markdown-header-loading-yaml ## Impact Remote Code Execution vulnerability