https://bugzilla.redhat.com/show_bug.cgi?id=1785376
Bug ID: 1785376 Summary: CVE-2017-18640 snakeyaml: the alias feature entity expansion during a load operation Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@redhat.com Reporter: gsuckevi@redhat.com CC: decathorpe@gmail.com, hhorak@redhat.com, jaromir.capik@email.cz, java-maint@redhat.com, java-sig-commits@lists.fedoraproject.org, jorton@redhat.com, mizdebsk@redhat.com, mo@morsi.org, stewardship-sig@lists.fedoraproject.org Target Milestone: --- Classification: Other
The Alias feature in SnakeYAML 1.18 allows entity expansion during a load operation, a related issue to CVE-2003-1564.
Reference: https://bitbucket.org/asomov/snakeyaml/issues/377/allow-configuration-for-pr...
https://bugzilla.redhat.com/show_bug.cgi?id=1785376
Guilherme de Almeida Suckevicz gsuckevi@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1785377
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1785377 [Bug 1785377] CVE-2017-18640 snakeyaml: the alias feature entity expansion during a load operation [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1785376
--- Comment #1 from Guilherme de Almeida Suckevicz gsuckevi@redhat.com --- Created snakeyaml tracking bugs for this issue:
Affects: fedora-all [bug 1785377]
https://bugzilla.redhat.com/show_bug.cgi?id=1785376
Guilherme de Almeida Suckevicz gsuckevi@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1785379 Summary|CVE-2017-18640 snakeyaml: |CVE-2017-18640 snakeyaml: |the alias feature entity |the alias feature allows |expansion during a load |entity expansion during a |operation |load operation
https://bugzilla.redhat.com/show_bug.cgi?id=1785376
Alex Scheel ascheel@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |ascheel@redhat.com Flags| |needinfo?(gsuckevi@redhat.c | |om)
--- Comment #2 from Alex Scheel ascheel@redhat.com --- What needs to be done here? Is there a specific patch that needs to be applied?
Upstream's position [0] seems to be that you need to be careful about what inputs you give to snakeyaml. From a snakeyaml packager POV, there's not much we can do if snakeyaml upstream won't fix it and we don't control how packages use snakeyaml downstream or upstream. Would rebasing F30 to 1.25 (like F31 and Rawhide are currently only) suffice, or is there something else required from us? Does 1.25 solve the issue? It isn't immediately clear.
Otherwise I'm inclined to close the Fedora tracker with WONTFIX and point to the upstream wiki.
[0]: https://bitbucket.org/asomov/snakeyaml/wiki/Billion%20laughs%20attack
https://bugzilla.redhat.com/show_bug.cgi?id=1785376
Guilherme de Almeida Suckevicz gsuckevi@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(gsuckevi@redhat.c | |om) |
--- Comment #3 from Guilherme de Almeida Suckevicz gsuckevi@redhat.com --- Since upstream will not fix this issue, I assume that's OK to close this as WONTFIX. You can wait the analysis from our side for more information.
https://bugzilla.redhat.com/show_bug.cgi?id=1785376
--- Comment #4 from Marco Benatto mbenatto@redhat.com --- According the upstream bug entry, they are not considering this a security vulnerability and are not inclined to fix this issue. Given this scenario this bugwill be closed as WONTFIX.
https://bugzilla.redhat.com/show_bug.cgi?id=1785376
--- Comment #5 from Marco Benatto mbenatto@redhat.com --- Statement:
The snakeyaml's upstream is not considering this a security vulnerability. Their justification is explained on the link contained on 'External References' field.
https://bugzilla.redhat.com/show_bug.cgi?id=1785376
--- Comment #6 from Marco Benatto mbenatto@redhat.com --- External References:
https://bitbucket.org/asomov/snakeyaml/wiki/Billion%20laughs%20attack
https://bugzilla.redhat.com/show_bug.cgi?id=1785376
Marco Benatto mbenatto@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |WONTFIX Last Closed| |2020-02-14 16:27:51
https://bugzilla.redhat.com/show_bug.cgi?id=1785376 Bug 1785376 depends on bug 1785377, which changed state.
Bug 1785377 Summary: CVE-2017-18640 snakeyaml: the alias feature allows entity expansion during a load operation [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1785377
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |WONTFIX
https://bugzilla.redhat.com/show_bug.cgi?id=1785376
Riccardo Schirone rschiron@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1821739
https://bugzilla.redhat.com/show_bug.cgi?id=1785376
Jonathan Dowland jdowland@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |jdowland@redhat.com
--- Comment #8 from Jonathan Dowland jdowland@redhat.com --- upstream have now merged a patch to fix this.
snakeyaml v1.26 contains the fix
https://bitbucket.org/asomov/snakeyaml/issues/377/allow-configuration-for-pr... https://bitbucket.org/asomov/snakeyaml/commits/da11ddbd91c1f8392ea932b37fa48...
https://bugzilla.redhat.com/show_bug.cgi?id=1785376 Bug 1785376 depends on bug 1785377, which changed state.
Bug 1785377 Summary: CVE-2017-18640 snakeyaml: the alias feature allows entity expansion during a load operation [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1785377
What |Removed |Added ---------------------------------------------------------------------------- Status|CLOSED |ASSIGNED Resolution|WONTFIX |---
https://bugzilla.redhat.com/show_bug.cgi?id=1785376
Riccardo Schirone rschiron@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1826310
https://bugzilla.redhat.com/show_bug.cgi?id=1785376 Bug 1785376 depends on bug 1785377, which changed state.
Bug 1785377 Summary: CVE-2017-18640 snakeyaml: the alias feature allows entity expansion during a load operation [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1785377
What |Removed |Added ---------------------------------------------------------------------------- Status|ON_QA |CLOSED Resolution|--- |ERRATA
https://bugzilla.redhat.com/show_bug.cgi?id=1785376
Tomas Hoger thoger@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1841044
https://bugzilla.redhat.com/show_bug.cgi?id=1785376
Chess Hazlett chazlett@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Fixed In Version| |snakeyaml 1.26
https://bugzilla.redhat.com/show_bug.cgi?id=1785376
--- Comment #10 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat build of Quarkus 1.3.4
Via RHSA-2020:2603 https://access.redhat.com/errata/RHSA-2020:2603
https://bugzilla.redhat.com/show_bug.cgi?id=1785376
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:2603
https://bugzilla.redhat.com/show_bug.cgi?id=1785376
Piyush Bhoot pbhoot@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |pbhoot@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1785376
Marco Benatto mbenatto@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1877534
https://bugzilla.redhat.com/show_bug.cgi?id=1785376
Marco Benatto mbenatto@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1877545
https://bugzilla.redhat.com/show_bug.cgi?id=1785376
Tony Garcia antgarci@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |antgarci@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1785376
--- Comment #18 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Enterprise Linux 8
Via RHSA-2020:4807 https://access.redhat.com/errata/RHSA-2020:4807
https://bugzilla.redhat.com/show_bug.cgi?id=1785376
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:4807
https://bugzilla.redhat.com/show_bug.cgi?id=1785376
Pedro Sampaio psampaio@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1967297
https://bugzilla.redhat.com/show_bug.cgi?id=1785376
Jonathan Christison jochrist@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |aileenc@redhat.com, | |drieden@redhat.com, | |ggaughan@redhat.com, | |gmalinko@redhat.com, | |janstey@redhat.com, | |jross@redhat.com, | |rgodfrey@redhat.com, | |swoodman@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1785376
--- Comment #21 from Jonathan Christison jochrist@redhat.com --- Marking Red Hat AMQ Streams and Red Hat AMQ Online as not affected, both AMQ-ON and AMQ-ST were incorrectly marked as being affected on Thursday 3rd of June 2021 after investigations into the secondary artifact io.prometheus.jmx:jmx_prometheus_javaagent:jar:* which shades/bundles snakeyaml.
The version of snakeyaml in use by the io.prometheus.jmx:jmx_prometheus_javaagent:jar:0.14.0.redhat-00002 is org.yaml:snakeyaml:jar:1.26.0.redhat-00002 which is not affected by this vulnerability, this was fixed in AMQ Streams version 1.6.0 onwards.
AMQ Online was not affected by this vulnerability through io.prometheus.jmx:jmx_prometheus_javaagent:jar:*.
https://bugzilla.redhat.com/show_bug.cgi?id=1785376
--- Comment #22 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Fuse 7.9
Via RHSA-2021:3140 https://access.redhat.com/errata/RHSA-2021:3140
https://bugzilla.redhat.com/show_bug.cgi?id=1785376
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2021:3140
https://bugzilla.redhat.com/show_bug.cgi?id=1785376
--- Comment #23 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat AMQ Streams 1.8.0
Via RHSA-2021:3225 https://access.redhat.com/errata/RHSA-2021:3225
https://bugzilla.redhat.com/show_bug.cgi?id=1785376
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2021:3225
https://bugzilla.redhat.com/show_bug.cgi?id=1785376
Joshua Mulliken jmullike@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |aboyko@redhat.com, | |pdrozd@redhat.com, | |sthorger@redhat.com
java-sig-commits@lists.fedoraproject.org