https://bugzilla.redhat.com/show_bug.cgi?id=1815212
Bug ID: 1815212 Summary: CVE-2020-1953 apache-commons-configuration: uncontrolled class instantiation when loading YAML files Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: high Priority: high Assignee: security-response-team@redhat.com Reporter: gsuckevi@redhat.com CC: aboyko@redhat.com, aileenc@redhat.com, akoufoud@redhat.com, alazarot@redhat.com, almorale@redhat.com, anstephe@redhat.com, asoldano@redhat.com, atangrin@redhat.com, ataylor@redhat.com, avibelli@redhat.com, bbaranow@redhat.com, bgeorges@redhat.com, bmaxwell@redhat.com, bmontgom@redhat.com, brian.stansberry@redhat.com, cdewolf@redhat.com, chazlett@redhat.com, darran.lofthouse@redhat.com, dblechte@redhat.com, decathorpe@gmail.com, dfediuck@redhat.com, dkreling@redhat.com, dosoudil@redhat.com, drieden@redhat.com, eedri@redhat.com, eparis@redhat.com, etirelli@redhat.com, extras-orphan@fedoraproject.org, fnasser@redhat.com, ganandan@redhat.com, ggaughan@redhat.com, gmalinko@redhat.com, gvarsami@redhat.com, hhorak@redhat.com, hvyas@redhat.com, ibek@redhat.com, iweiss@redhat.com, janstey@redhat.com, java-maint@redhat.com, java-sig-commits@lists.fedoraproject.org, jawilson@redhat.com, jbalunas@redhat.com, jburrell@redhat.com, jcoleman@redhat.com, jjelen@redhat.com, jochrist@redhat.com, jokerman@redhat.com, jorton@redhat.com, jpallich@redhat.com, jperkins@redhat.com, jstastny@redhat.com, jwon@redhat.com, kconner@redhat.com, krathod@redhat.com, kverlaen@redhat.com, kwills@redhat.com, ldimaggi@redhat.com, lgao@redhat.com, lthon@redhat.com, mgoldboi@redhat.com, michal.skrivanek@redhat.com, mizdebsk@redhat.com, mnovotny@redhat.com, msochure@redhat.com, msvehla@redhat.com, mszynkie@redhat.com, nstielau@redhat.com, nwallace@redhat.com, paradhya@redhat.com, pgallagh@redhat.com, pjindal@redhat.com, pmackay@redhat.com, psotirop@redhat.com, puebele@redhat.com, puntogil@libero.it, rguimara@redhat.com, rrajasek@redhat.com, rruss@redhat.com, rsvoboda@redhat.com, rsynek@redhat.com, rwagner@redhat.com, sbonazzo@redhat.com, sdaley@redhat.com, sherold@redhat.com, smaestri@redhat.com, SpikeFedora@gmail.com, sponnaga@redhat.com, tcunning@redhat.com, tkirby@redhat.com, tom.jenkinson@redhat.com, vbellur@redhat.com, yturgema@redhat.com Target Milestone: --- Classification: Other
Apache Commons Configuration uses a third-party library to parse YAML files which by default allows the instantiation of classes if the YAML includes special statements. Apache Commons Configuration versions 2.2, 2.3, 2.4, 2.5, 2.6 did not change the default settings of this library. So if a YAML file was loaded from an untrusted source, it could therefore load and execute code out of the control of the host application.
References: https://lists.apache.org/thread.html/d0e00f2e147a9e9b13a6829133092f349b2882b... https://lists.apache.org/thread.html/rde2186ad6ac0d6ed8d51af7509244adcf1ce0f...
https://bugzilla.redhat.com/show_bug.cgi?id=1815212
Guilherme de Almeida Suckevicz gsuckevi@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1815216 Depends On| |1815214, 1815213
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1815213 [Bug 1815213] CVE-2020-1953 apache-commons-configuration: uncontrolled class instantiation when loading YAML files [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1815214 [Bug 1815214] CVE-2020-1953 apache-commons-configuration2: apache-commons-configuration: uncontrolled class instantiation when loading YAML files [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1815212
--- Comment #1 from Guilherme de Almeida Suckevicz gsuckevi@redhat.com --- Created apache-commons-configuration tracking bugs for this issue:
Affects: fedora-all [bug 1815213]
Created apache-commons-configuration2 tracking bugs for this issue:
Affects: fedora-all [bug 1815214]
https://bugzilla.redhat.com/show_bug.cgi?id=1815212
Mauro Matteo Cascella mcascell@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Fixed In Version| |commons-configuration 2.7
https://bugzilla.redhat.com/show_bug.cgi?id=1815212
--- Comment #2 from Jonathan Christison jochrist@redhat.com --- This vulnerability is out of security support scope for the following products: * Fuse Service Works * SOA Platform 5
Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
https://bugzilla.redhat.com/show_bug.cgi?id=1815212
--- Comment #3 from Mauro Matteo Cascella mcascell@redhat.com --- Statement:
Several packages are unaffected because they do not include support for YAML configurations: * `apache-commons-configuration` as shipped with Red Hat Enterprise Linux 7 * `apache-commons-configuration` as shipped with Red Hat Enterprise Virtualization * `rh-maven35-apache-commons-configuration` as shipped with Red Hat Software Collections * `commons-configuration` as shipped with Red Hat Gluster Storage
https://bugzilla.redhat.com/show_bug.cgi?id=1815212
--- Comment #4 from Mauro Matteo Cascella mcascell@redhat.com --- Upstream fix: https://github.com/apache/commons-configuration/commit/add7375cf37fd316d4838...
https://bugzilla.redhat.com/show_bug.cgi?id=1815212
--- Doc Text *updated* by Ted (Jong Seok) Won jwon@redhat.com --- A flaw was found in Apache Commons Configuration, where it uses a third-party library to parse YAML files which by default allows the instantiation of classes if the YAML includes special statements. Apache Commons Configuration versions 2.2, 2.3, 2.4, 2.5, 2.6 did not change the default settings of this library. So if a YAML file was loaded from an untrusted source, it could therefore load and execute code out of the control of the host application.
https://bugzilla.redhat.com/show_bug.cgi?id=1815212
--- Comment #5 from Ted (Jong Seok) Won jwon@redhat.com --- External References:
https://lists.apache.org/thread.html/rde2186ad6ac0d6ed8d51af7509244adcf1ce0f... https://github.com/apache/commons-configuration/commit/add7375cf37fd316d4838...
https://bugzilla.redhat.com/show_bug.cgi?id=1815212
--- Doc Text *updated* by RaTasha Tillery-Smith rtillery@redhat.com --- A flaw was found in the Apache Commons Configuration, where it uses a third-party library to process YAML files, which by default, allows the instantiation of classes if the YAML includes special statements. Apache Commons Configuration versions 2.2, 2.3, 2.4, 2.5, 2.6 did not change the default settings of this library. If a YAML file was loaded from an untrusted source, it could load and execute code out of the control of the host application.
https://bugzilla.redhat.com/show_bug.cgi?id=1815212
--- Comment #19 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat AMQ
Via RHSA-2020:2751 https://access.redhat.com/errata/RHSA-2020:2751
https://bugzilla.redhat.com/show_bug.cgi?id=1815212
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:2751
https://bugzilla.redhat.com/show_bug.cgi?id=1815212
Product Security DevOps Team prodsec-dev@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |ERRATA Last Closed| |2020-06-25 17:20:26
--- Comment #20 from Product Security DevOps Team prodsec-dev@redhat.com --- This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):
https://access.redhat.com/security/cve/cve-2020-1953
https://bugzilla.redhat.com/show_bug.cgi?id=1815212
--- Comment #24 from Chess Hazlett chazlett@redhat.com --- Mitigation:
There is currently no mitigation available for this vulnerability.
https://bugzilla.redhat.com/show_bug.cgi?id=1815212
--- Comment #26 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat AMQ
Via RHSA-2020:3133 https://access.redhat.com/errata/RHSA-2020:3133
https://bugzilla.redhat.com/show_bug.cgi?id=1815212
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:3133
https://bugzilla.redhat.com/show_bug.cgi?id=1815212 Bug 1815212 depends on bug 1815214, which changed state.
Bug 1815214 Summary: CVE-2020-1953 apache-commons-configuration2: apache-commons-configuration: uncontrolled class instantiation when loading YAML files [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1815214
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |WONTFIX
https://bugzilla.redhat.com/show_bug.cgi?id=1815212
--- Comment #27 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Fuse 7.7.0
Via RHSA-2020:3192 https://access.redhat.com/errata/RHSA-2020:3192
https://bugzilla.redhat.com/show_bug.cgi?id=1815212
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:3192
https://bugzilla.redhat.com/show_bug.cgi?id=1815212 Bug 1815212 depends on bug 1815213, which changed state.
Bug 1815213 Summary: CVE-2020-1953 apache-commons-configuration: uncontrolled class instantiation when loading YAML files [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1815213
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |EOL
java-sig-commits@lists.fedoraproject.org