Bug 1806005 (CVE-2019-20477)

Summary: CVE-2019-20477 PyYAML: command execution through python/object/apply constructor in FullLoader
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bdettelb, dbecker, hhorak, jeckersb, jjoyce, jorton, jschluet, j, lhh, lpeer, mburns, orion, python-maint, rschiron, sclewis, sfowler, slinaber, slong, TicoTimo, tomckay
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: pyYAML 5.2 Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was discovered in the PyYAML library, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/apply constructor.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-11-04 02:24:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1806010, 1806011, 1806013, 1807434, 1810084    
Bug Blocks: 1806012    

Description Guilherme de Almeida Suckevicz 2020-02-21 20:02:23 UTC 
PyYAML 5.1 through 5.1.2 has insufficient restrictions on the load and load_all functions because of a class deserialization issue, e.g., Popen is a class in the subprocess module. NOTE: this issue exists because of an incomplete fix for CVE-2017-18342.

References:
https://github.com/yaml/pyyaml/blob/master/CHANGES
Comment 1 Guilherme de Almeida Suckevicz 2020-02-21 20:04:26 UTC 
Created PyYAML tracking bugs for this issue:

Affects: fedora-all [bug 1806010]


Created python2-pyyaml tracking bugs for this issue:

Affects: epel-all [bug 1806011]


Created python3-PyYAML tracking bugs for this issue:

Affects: epel-all [bug 1806013]
Comment 2 Summer Long 2020-02-24 05:04:06 UTC 
RHOSP: This flaw is a result of incomplete fixes from CVE-2017-18342; the OpenStack analysis at that time still applies.
https://bugzilla.redhat.com/show_bug.cgi?id=1595743#c16
Comment 5 Riccardo Schirone 2020-02-25 10:25:16 UTC 
Lowering the Impact of the flaw to Moderate as, same for CVE-2017-18342, load and load_all functions were already known to be unsafe and they should not be used with untrusted input.
Comment 6 Riccardo Schirone 2020-02-25 11:19:38 UTC 
The issue is in the new Loader called FullLoader introduced in PyYAML 5.1, which was supposed to fix CVE-2017-18342. FullLoader is used by default by the yaml.load function and it was thought it was safer as explained in https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation. However, it is still possible to execute arbitrary code by using the python/object/apply constructor.

Upstream PR:
https://github.com/yaml/pyyaml/pull/347

Upstream fix:
https://github.com/yaml/pyyaml/commit/8c5e47fe62d7b9e0282a176a4b79b8b2980dc704
Comment 9 Riccardo Schirone 2020-02-25 17:18:47 UTC 
Even though the CVSS is 9.8/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, the Impact of this flaw is set to Medium as `yaml.load`/`yaml.full_load` should not be used on untrusted input. When untrusted input needs to be parsed, `SafeLoader` or `yaml.safe_load` must be used instead. This has been documented for a very long time in PyYAML.
Comment 10 Riccardo Schirone 2020-02-26 10:35:37 UTC 
FullLoader, which is the class where this vulnerability lies, was introduced in upstream version 5.1.
Red Hat Enterprise Linux 7 and 8 currently ship an older version of PyYAML, that does not contain the vulnerable class, so they are not affected.
Comment 12 Riccardo Schirone 2020-02-26 10:43:23 UTC 
Mitigation:

Use `yaml.safe_load` or the SafeLoader loader when you parse untrusted input.
Comment 14 Jason Shepherd 2020-02-27 00:55:58 UTC 
Statement:

This issue did not affect the versions of PyYAML as shipped with Red Hat Enterprise Linux 7, and 8 as they did not include the class FullLoader, which contains this vulnerability.

The PyYAML libary that is provided in the Red Hat OpenStack repositories is vulnerable. However, because there are no instances where this library is used in a way which exposes the vulnerability, the impact to OpenStack products has been reduced to 'low' and Red Hat will not be providing a fix at this time.  Any updates will be through RHEL channels.

Red Hat Quay 3.2 uses the vulnerable load function, but only to parse the Nginx configuration file, which only contains trusted data.
Comment 20 Product Security DevOps Team 2020-11-04 02:24:28 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-20477
Comment 21 errata-xmlrpc 2020-11-04 02:35:47 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4641 https://access.redhat.com/errata/RHSA-2020:4641
Comment 22 errata-xmlrpc 2021-02-04 16:14:32 UTC 
This issue has been addressed in the following products:

  Red Hat Quay 3

Via RHSA-2021:0420 https://access.redhat.com/errata/RHSA-2021:0420