Bug 1698839 (CVE-2019-10906)

Summary: CVE-2019-10906 python-jinja2: str.format_map allows sandbox escape
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: apevec, bbuckingham, bcourt, bkearney, bmcclain, btotty, dbecker, dblechte, dfediuck, eedri, extras-orphan, hhorak, hhudgeon, hvyas, jjoyce, jorton, jschluet, kbasil, lbalhar, lewk, lhh, lpeer, mburns, mgoldboi, michal.skrivanek, mmccune, orion, pj.pandit, python-maint, rchan, rhos-maint, rjerrido, rschiron, sbonazzo, sclewis, sherold, sisharma, slinaber, ssaha, thomas.moschny, TicoTimo, torsava, vbellur, yturgema
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: jinja 2.10.1 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Jinja. Python string formatting could allow an attacker to escape the sandbox. The highest threat from this vulnerability is to data confidentiality and integrity and system availability.
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:53:56 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1698840, 1699111, 1699112, 1699113, 1699114, 1701123, 1701124, 1701184, 1701300, 1701301, 1701302, 1701303, 1701304, 1701306, 1702428    
Bug Blocks: 1698841    

Description Dhananjay Arunesh 2019-04-11 10:55:05 UTC
In Pallets Jinja before 2.10.1, str.format_map allows a sandbox escape.

Reference:
https://palletsprojects.com/blog/jinja-2-10-1-released/

Upstream commit:
https://github.com/pallets/jinja/commit/a2a6c930bcca591a25d2b316fcfd2d6793897b26

Comment 1 Dhananjay Arunesh 2019-04-11 11:01:06 UTC
Created python-jinja2 tracking bugs for this issue:

Affects: epel-6 [bug 1698840]

Comment 2 Tomas Hoger 2019-04-11 20:02:01 UTC
Created python-jinja2 tracking bugs for this issue:

Affects: fedora-all [bug 1699111]


Created python3-jinja2 tracking bugs for this issue:

Affects: epel-6 [bug 1699113]
Affects: epel-7 [bug 1699114]

Comment 11 Riccardo Schirone 2019-04-18 15:09:40 UTC
External References:

https://palletsprojects.com/blog/jinja-2-10-1-released/

Comment 23 Summer Long 2019-04-26 04:38:39 UTC
Mitigation:

If you cannot upgrade python-Jinja2, you can override the `is_safe_attribute` method on the sandbox and explicitly disallow the `format_map` method on string objects.

Comment 24 Riccardo Schirone 2019-04-26 07:22:03 UTC
Statement:

Red Hat Virtualization Management Appliance includes python-jinja2 as a dependency of ovirt-engine-backend, which only uses it with controlled format strings that are not exploitable.
Red Hat Satellite 6 will receive fixes through the underlying Red Hat Enterprise Linux, so it won't issue updates to its own affected package.

This issue does not affect versions of python-jinja2 as shipped with:
* Red Hat Enterprise Linux 6, and 7 as python2 does not support str.format_map.
* Red Hat Update Infrastructure as it does not use the Sandbox feature, nor does it allow untrusted jinja2 templates.
* Red Hat Ceph Storage 2, 3 and Red Hat Gluster Storage 3 as python2 does not support str.format_map.
* Red Hat OpenStack Platform 13 or 14 as python2 does not support str.format_map.

Comment 25 Lumír Balhar 2019-05-06 09:04:24 UTC
Why there are no bugs created for python27:2.7 module where python-jinja2 is available? Should I create them as a copy of bugs for rhel 8.0.0 and 8.1.0?

Comment 26 errata-xmlrpc 2019-05-13 10:51:07 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:1152 https://access.redhat.com/errata/RHSA-2019:1152

Comment 29 errata-xmlrpc 2019-05-16 12:56:35 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS

Via RHSA-2019:1237 https://access.redhat.com/errata/RHSA-2019:1237

Comment 30 errata-xmlrpc 2019-06-04 15:16:52 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS

Via RHSA-2019:1329 https://access.redhat.com/errata/RHSA-2019:1329