Bug 1807367 (CVE-2020-1747)

Summary: CVE-2020-1747 PyYAML: arbitrary command execution through python/object/new when FullLoader is used
Product: [Other] Security Response Reporter: Riccardo Schirone <rschiron>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bdettelb, dbecker, hhorak, jeckersb, jjoyce, jorton, jschluet, kmullins, lbalhar, lhh, lpeer, mburns, orion, python-maint, sclewis, security-response-team, slinaber, TicoTimo, tomckay
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: PyYAML 5.3.1 Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was discovered in the PyYAML library, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/new constructor.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-11-04 02:24:31 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1809010, 1809011, 1810083, 1910658    
Bug Blocks: 1807368    

Description Riccardo Schirone 2020-02-26 08:26:35 UTC 
An arbitrary code execution was discovered in PyYAML when YAML files are parsed by FullLoader. This loader is used by default by yaml.load() when no loader is specified or when yaml.full_load() is used. Applications that use PyYAML to parse untrusted input may be vulnerable to this flaw, which would allow an attacker to execute arbitrary code on the system, by abusing the python/object/new constructor.
Comment 1 Riccardo Schirone 2020-02-26 08:26:38 UTC 
Acknowledgments:

Name: Riccardo Schirone (Red Hat)
Comment 2 Riccardo Schirone 2020-02-26 10:39:25 UTC 
FullLoader, which is the class where this vulnerability lies, was introduced in upstream version 5.1.
Comment 3 Riccardo Schirone 2020-02-26 10:39:46 UTC 
Even though the CVSS is 9.8/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, the Impact of this flaw is set to Medium as `yaml.load`/`yaml.full_load` should not be used on untrusted input. When untrusted input needs to be parsed, `SafeLoader` or `yaml.safe_load` must be used instead. This has been documented for a very long time in PyYAML.
Comment 5 Riccardo Schirone 2020-02-26 10:43:27 UTC 
Mitigation:

Use `yaml.safe_load` or the SafeLoader loader when you parse untrusted input.
Comment 7 Jason Shepherd 2020-02-27 00:50:23 UTC 
Statement:

Red Hat Quay 3.2 uses the vulnerable load function, but only to parse the Nginx configuration file, which only contains trusted data.
Comment 11 Riccardo Schirone 2020-03-02 08:49:58 UTC 
Upstream PR:
https://github.com/yaml/pyyaml/pull/386
Comment 13 Riccardo Schirone 2020-03-02 09:36:07 UTC 
Created PyYAML tracking bugs for this issue:

Affects: fedora-all [bug 1809011]
Comment 17 Summer Long 2020-03-05 03:51:49 UTC 
OpenStack: set to 'notaffected' because the packaged RHOSP version (PyYAML-3.10-11.el7) doesn't have the FullLoader code (lib/yaml/loader.py and constructor.py).
Comment 18 Riccardo Schirone 2020-03-24 09:05:43 UTC 
Upstream fix:
https://github.com/yaml/pyyaml/commit/5080ba513377b6355a0502104846ee804656f1e0
Comment 19 Product Security DevOps Team 2020-11-04 02:24:31 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-1747
Comment 20 errata-xmlrpc 2020-11-04 02:35:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4641 https://access.redhat.com/errata/RHSA-2020:4641