Bug 1785376 (CVE-2017-18640)

Summary: CVE-2017-18640 snakeyaml: Billion laughs attack via alias feature
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aboyko, aileenc, antgarci, ascheel, avibelli, bgeorges, chazlett, clement.escoffier, dandread, dkreling, drieden, ggaughan, gmalinko, gsmet, hhorak, janstey, jaromir.capik, java-maint, java-sig-commits, jbalunas, jochrist, jorton, jpallich, jross, jwon, krathod, lthon, mizdebsk, mo, mszynkie, pbhoot, pdrozd, pgallagh, pjindal, rgodfrey, rruss, sbiarozk, sdouglas, sgehwolf, stewardship-sig, sthorger, swoodman
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: snakeyaml 1.26 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-02-14 16:27:51 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1785377, 1821739, 1826310, 1841044, 1877534, 1877545    
Bug Blocks: 1785379, 1967297    

Description Guilherme de Almeida Suckevicz 2019-12-19 19:24:21 UTC 
The Alias feature in SnakeYAML 1.18 allows entity expansion during a load operation, a related issue to CVE-2003-1564.

Reference:
https://bitbucket.org/asomov/snakeyaml/issues/377/allow-configuration-for-preventing-billion
Comment 1 Guilherme de Almeida Suckevicz 2019-12-19 19:24:55 UTC 
Created snakeyaml tracking bugs for this issue:

Affects: fedora-all [bug 1785377]
Comment 2 Alex Scheel 2019-12-19 22:43:42 UTC 
What needs to be done here? Is there a specific patch that needs to be applied?

Upstream's position [0] seems to be that you need to be careful about what inputs you give to snakeyaml. From a snakeyaml packager POV, there's not much we can do if snakeyaml upstream won't fix it and we don't control how packages use snakeyaml downstream or upstream. Would rebasing F30 to 1.25 (like F31 and Rawhide are currently only) suffice, or is there something else required from us? Does 1.25 solve the issue? It isn't immediately clear. 


Otherwise I'm inclined to close the Fedora tracker with WONTFIX and point to the upstream wiki. 


[0]: https://bitbucket.org/asomov/snakeyaml/wiki/Billion%20laughs%20attack
Comment 3 Guilherme de Almeida Suckevicz 2019-12-23 13:59:50 UTC 
Since upstream will not fix this issue, I assume that's OK to close this as WONTFIX.
You can wait the analysis from our side for more information.
Comment 4 Marco Benatto 2020-02-14 16:22:53 UTC 
According the upstream bug entry, they are not considering this a security vulnerability and are not inclined to fix this issue. Given this scenario this bugwill be closed as WONTFIX.
Comment 8 Jonathan Dowland 2020-04-15 09:49:28 UTC 
upstream have now merged a patch to fix this.

snakeyaml v1.26 contains the fix
 
https://bitbucket.org/asomov/snakeyaml/issues/377/allow-configuration-for-preventing-billion
https://bitbucket.org/asomov/snakeyaml/commits/da11ddbd91c1f8392ea932b37fa48110fa54ed8c
Comment 10 errata-xmlrpc 2020-06-17 16:34:44 UTC 
This issue has been addressed in the following products:

  Red Hat build of Quarkus 1.3.4

Via RHSA-2020:2603 https://access.redhat.com/errata/RHSA-2020:2603
Comment 18 errata-xmlrpc 2020-11-04 04:02:23 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4807 https://access.redhat.com/errata/RHSA-2020:4807
Comment 21 Jonathan Christison 2021-06-09 09:45:07 UTC 
Marking Red Hat AMQ Streams and Red Hat AMQ Online as not affected, both AMQ-ON and AMQ-ST were incorrectly marked as being affected on Thursday 3rd of June 2021 after investigations into the secondary artifact io.prometheus.jmx:jmx_prometheus_javaagent:jar:* which shades/bundles snakeyaml. 

The version of snakeyaml in use by the io.prometheus.jmx:jmx_prometheus_javaagent:jar:0.14.0.redhat-00002 is org.yaml:snakeyaml:jar:1.26.0.redhat-00002 which is not affected by this vulnerability, this was fixed in AMQ Streams version 1.6.0 onwards.

AMQ Online was not affected by this vulnerability through io.prometheus.jmx:jmx_prometheus_javaagent:jar:*.
Comment 22 errata-xmlrpc 2021-08-11 18:22:29 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 7.9

Via RHSA-2021:3140 https://access.redhat.com/errata/RHSA-2021:3140
Comment 23 errata-xmlrpc 2021-08-19 07:18:19 UTC 
This issue has been addressed in the following products:

  Red Hat AMQ Streams 1.8.0

Via RHSA-2021:3225 https://access.redhat.com/errata/RHSA-2021:3225