Bug 2150009 (CVE-2022-1471)
Summary: | CVE-2022-1471 SnakeYaml: Constructor Deserialization Remote Code Execution | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Marco Benatto <mbenatto> |
Component: | vulnerability | Assignee: | Nobody <nobody> |
Status: | NEW --- | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | abenaiss, ahughes, aileenc, alazarot, anstephe, asoldano, ataylor, avibelli, balejosg, bbaranow, bbuckingham, bcourt, bgeorges, bmaxwell, boliveir, brian.stansberry, caswilli, cdewolf, chaowan, chazlett, clement.escoffier, cmoulliard, dandread, darran.lofthouse, dffrench, dfitzmau, dkreling, dosoudil, ehelms, emingora, eric.wittmann, fjansen, fjuma, fmongiar, gjospin, gmalinko, gsmet, gzaronik, ibek, ikanello, ivassile, iweiss, janstey, jburrell, jcantril, jdowland, jnethert, jolee, jpechane, jpoth, jrokos, jross, jschatte, jscholz, jsherril, jstastny, jwon, kaycoth, khosford, kverlaen, lgao, lthon, lzap, max.andersen, mbalao, mhulan, mizdebsk, mmclaugh, mnovotny, mosmerov, msochure, mstefank, msvehla, nboldt, neugens, ngough, nmoumoul, nwallace, orabin, pantinor, pcreech, pdelbell, pdrozd, peholase, periklis, pgallagh, pjindal, pmackay, probinso, pskopek, rchan, rdey, rgodfrey, rguimara, rkieley, rruss, rstancel, rsvoboda, saroy, sbiarozk, scorneli, sdouglas, sgehwolf, smaestri, spencer.deehring, sraghupu, sthorger, tcunning, tom.jenkinson, vkumar, yfang |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: |
A flaw was found in the SnakeYaml package. This flaw allows an attacker to benefit from remote code execution by sending malicious YAML content and this content being deserialized by the constructor. Deserialization is unsafe and leads to Remote Code Execution (RCE).
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | Type: | --- | |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2272329, 2272330, 2272331, 2132658, 2150037, 2150038, 2150039, 2150040, 2150041, 2150042, 2150044, 2150047, 2150048, 2150049, 2150365, 2150366, 2150367, 2150368, 2150369, 2150370, 2151074, 2151075, 2151076, 2151077, 2151078, 2151079, 2151080, 2151081, 2159443 | ||
Bug Blocks: | 2150008 |
Description
Marco Benatto
2022-12-01 15:28:10 UTC
This issue has been addressed in the following products: Red Hat build of Eclipse Vert.x 4.3.4 Via RHSA-2022:9032 https://access.redhat.com/errata/RHSA-2022:9032 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:9058 https://access.redhat.com/errata/RHSA-2022:9058 Hello, when can we expect to see an update for Rhel 8.6 EUS since the rating is "Important Impact" ? In which version of snakeyaml is the bug, and in which version can we expect the fix? Asking be cause the prodsec tools recently generated 12 JIRAs about snakeyaml but there's no information in here about versions. :( https://issues.redhat.com/browse/CRW-3658?filter=12405213&jql=project%20%3D%20CRW%20AND%20component%20%3D%20%22productization%3A%20security%20%26%20legal%22%20AND%20labels%20%3D%20SecurityTracking%20AND%20resolution%20is%20EMPTY%20and%20text%20~%20snakeyaml This issue has been addressed in the following products: Red Hat build of Quarkus Via RHSA-2023:0758 https://access.redhat.com/errata/RHSA-2023:0758 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.10 Via RHSA-2023:0697 https://access.redhat.com/errata/RHSA-2023:0697 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.9 Via RHSA-2023:0777 https://access.redhat.com/errata/RHSA-2023:0777 This issue has been addressed in the following products: Red Hat Single Sign-On 7.6 for RHEL 7 Via RHSA-2023:1043 https://access.redhat.com/errata/RHSA-2023:1043 This issue has been addressed in the following products: Red Hat Single Sign-On 7.6 for RHEL 8 Via RHSA-2023:1044 https://access.redhat.com/errata/RHSA-2023:1044 This issue has been addressed in the following products: Red Hat Single Sign-On 7.6 for RHEL 9 Via RHSA-2023:1045 https://access.redhat.com/errata/RHSA-2023:1045 This issue has been addressed in the following products: RHEL-8 based Middleware Containers Via RHSA-2023:1047 https://access.redhat.com/errata/RHSA-2023:1047 This issue has been addressed in the following products: Red Hat Single Sign-On Via RHSA-2023:1049 https://access.redhat.com/errata/RHSA-2023:1049 This issue has been addressed in the following products: Red Hat build of Quarkus 2.7.7 Via RHSA-2023:1006 https://access.redhat.com/errata/RHSA-2023:1006 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 Via RHSA-2023:1514 https://access.redhat.com/errata/RHSA-2023:1514 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 Via RHSA-2023:1513 https://access.redhat.com/errata/RHSA-2023:1513 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 Via RHSA-2023:1512 https://access.redhat.com/errata/RHSA-2023:1512 This issue has been addressed in the following products: EAP 7.4.10 release Via RHSA-2023:1516 https://access.redhat.com/errata/RHSA-2023:1516 This issue has been addressed in the following products: Red Hat Satellite 6.13 for RHEL 8 Via RHSA-2023:2097 https://access.redhat.com/errata/RHSA-2023:2097 This issue has been addressed in the following products: OpenShift Developer Tools and Services for OCP 4.11 Via RHSA-2023:3198 https://access.redhat.com/errata/RHSA-2023:3198 This issue has been addressed in the following products: Red Hat support for Spring Boot 2.7.13 Via RHSA-2023:4612 https://access.redhat.com/errata/RHSA-2023:4612 This issue has been addressed in the following products: Red Hat AMQ Streams 2.5.0 Via RHSA-2023:5165 https://access.redhat.com/errata/RHSA-2023:5165 This issue has been addressed in the following products: AMQ Clients 3.y for RHEL 8 AMQ Clients 3.y for RHEL 9 Via RHSA-2023:7697 https://access.redhat.com/errata/RHSA-2023:7697 This issue has been addressed in the following products: RHEL-7 based Middleware Containers Via RHSA-2024:0325 https://access.redhat.com/errata/RHSA-2024:0325 This issue has been addressed in the following products: OpenShift Developer Tools and Services for OCP 4.11 Via RHSA-2024:0775 https://access.redhat.com/errata/RHSA-2024:0775 This issue has been addressed in the following products: RHPAM 7.13.5 async Via RHSA-2024:1353 https://access.redhat.com/errata/RHSA-2024:1353 Created snakeyaml tracking bugs for this issue: Affects: epel-all [bug 2272329] Affects: fedora-all [bug 2272330] Created texlive-base tracking bugs for this issue: Affects: fedora-all [bug 2272331] |