Bug 1785376 (CVE-2017-18640)
Summary: | CVE-2017-18640 snakeyaml: Billion laughs attack via alias feature | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED WONTFIX | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | aboyko, aileenc, antgarci, ascheel, avibelli, bgeorges, chazlett, clement.escoffier, dandread, dkreling, drieden, ggaughan, gmalinko, gsmet, hhorak, janstey, jaromir.capik, java-maint, java-sig-commits, jbalunas, jochrist, jorton, jpallich, jross, jwon, krathod, lthon, mizdebsk, mo, mszynkie, pbhoot, pdrozd, pgallagh, pjindal, rgodfrey, rruss, sbiarozk, sdouglas, sgehwolf, stewardship-sig, sthorger, swoodman |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | snakeyaml 1.26 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2020-02-14 16:27:51 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1785377, 1821739, 1826310, 1841044, 1877534, 1877545 | ||
Bug Blocks: | 1785379, 1967297 |
Description
Guilherme de Almeida Suckevicz
2019-12-19 19:24:21 UTC
Created snakeyaml tracking bugs for this issue: Affects: fedora-all [bug 1785377] What needs to be done here? Is there a specific patch that needs to be applied? Upstream's position [0] seems to be that you need to be careful about what inputs you give to snakeyaml. From a snakeyaml packager POV, there's not much we can do if snakeyaml upstream won't fix it and we don't control how packages use snakeyaml downstream or upstream. Would rebasing F30 to 1.25 (like F31 and Rawhide are currently only) suffice, or is there something else required from us? Does 1.25 solve the issue? It isn't immediately clear. Otherwise I'm inclined to close the Fedora tracker with WONTFIX and point to the upstream wiki. [0]: https://bitbucket.org/asomov/snakeyaml/wiki/Billion%20laughs%20attack Since upstream will not fix this issue, I assume that's OK to close this as WONTFIX. You can wait the analysis from our side for more information. According the upstream bug entry, they are not considering this a security vulnerability and are not inclined to fix this issue. Given this scenario this bugwill be closed as WONTFIX. upstream have now merged a patch to fix this. snakeyaml v1.26 contains the fix https://bitbucket.org/asomov/snakeyaml/issues/377/allow-configuration-for-preventing-billion https://bitbucket.org/asomov/snakeyaml/commits/da11ddbd91c1f8392ea932b37fa48110fa54ed8c This issue has been addressed in the following products: Red Hat build of Quarkus 1.3.4 Via RHSA-2020:2603 https://access.redhat.com/errata/RHSA-2020:2603 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4807 https://access.redhat.com/errata/RHSA-2020:4807 Marking Red Hat AMQ Streams and Red Hat AMQ Online as not affected, both AMQ-ON and AMQ-ST were incorrectly marked as being affected on Thursday 3rd of June 2021 after investigations into the secondary artifact io.prometheus.jmx:jmx_prometheus_javaagent:jar:* which shades/bundles snakeyaml. The version of snakeyaml in use by the io.prometheus.jmx:jmx_prometheus_javaagent:jar:0.14.0.redhat-00002 is org.yaml:snakeyaml:jar:1.26.0.redhat-00002 which is not affected by this vulnerability, this was fixed in AMQ Streams version 1.6.0 onwards. AMQ Online was not affected by this vulnerability through io.prometheus.jmx:jmx_prometheus_javaagent:jar:*. This issue has been addressed in the following products: Red Hat Fuse 7.9 Via RHSA-2021:3140 https://access.redhat.com/errata/RHSA-2021:3140 This issue has been addressed in the following products: Red Hat AMQ Streams 1.8.0 Via RHSA-2021:3225 https://access.redhat.com/errata/RHSA-2021:3225 |