Bug 1815212 (CVE-2020-1953)
Summary: | CVE-2020-1953 apache-commons-configuration: uncontrolled class instantiation when loading YAML files | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | aboyko, aileenc, akoufoud, alazarot, almorale, anstephe, asoldano, atangrin, ataylor, avibelli, bbaranow, bgeorges, bmaxwell, brian.stansberry, cdewolf, chazlett, darran.lofthouse, dblechte, dfediuck, dkreling, dosoudil, drieden, eedri, etirelli, extras-orphan, fnasser, ganandan, ggaughan, gmalinko, gvarsami, hhorak, hvyas, ibek, iweiss, janstey, java-maint, java-sig-commits, jawilson, jbalunas, jcoleman, jjelen, jochrist, jorton, jpallich, jperkins, jross, jstastny, jwon, kconner, krathod, kverlaen, kwills, ldimaggi, lgao, lthon, mgoldboi, michal.skrivanek, mizdebsk, mnovotny, msochure, msvehla, mszynkie, nwallace, paradhya, pgallagh, pjindal, pmackay, psotirop, puebele, puntogil, rgodfrey, rguimara, rrajasek, rruss, rsvoboda, rsynek, rwagner, sbonazzo, sdaley, sherold, smaestri, SpikeFedora, tcunning, tkirby, tom.jenkinson, vbellur, yturgema |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | commons-configuration 2.7 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found in the Apache Commons Configuration, where it uses a third-party library to process YAML files, which by default, allows the instantiation of classes if the YAML includes special statements. Apache Commons Configuration versions 2.2, 2.3, 2.4, 2.5, 2.6 did not change the default settings of this library. If a YAML file was loaded from an untrusted source, it could load and execute code out of the control of the host application.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2020-06-25 17:20:26 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1815213, 1815214 | ||
Bug Blocks: | 1815216 |
Description
Guilherme de Almeida Suckevicz
2020-03-19 19:09:55 UTC
Created apache-commons-configuration tracking bugs for this issue: Affects: fedora-all [bug 1815213] Created apache-commons-configuration2 tracking bugs for this issue: Affects: fedora-all [bug 1815214] This vulnerability is out of security support scope for the following products: * Fuse Service Works * SOA Platform 5 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details. Statement: Several packages are unaffected because they do not include support for YAML configurations: * `apache-commons-configuration` as shipped with Red Hat Enterprise Linux 7 * `apache-commons-configuration` as shipped with Red Hat Enterprise Virtualization * `rh-maven35-apache-commons-configuration` as shipped with Red Hat Software Collections * `commons-configuration` as shipped with Red Hat Gluster Storage Upstream fix: https://github.com/apache/commons-configuration/commit/add7375cf37fd316d4838c6c56b054fc293b4641 External References: https://lists.apache.org/thread.html/rde2186ad6ac0d6ed8d51af7509244adcf1ce0f9a3b7e1d1dd3b64676@%3Ccommits.camel.apache.org%3E https://github.com/apache/commons-configuration/commit/add7375cf37fd316d4838c6c56b054fc293b4641 This issue has been addressed in the following products: Red Hat AMQ Via RHSA-2020:2751 https://access.redhat.com/errata/RHSA-2020:2751 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-1953 Mitigation: There is currently no mitigation available for this vulnerability. This issue has been addressed in the following products: Red Hat AMQ Via RHSA-2020:3133 https://access.redhat.com/errata/RHSA-2020:3133 This issue has been addressed in the following products: Red Hat Fuse 7.7.0 Via RHSA-2020:3192 https://access.redhat.com/errata/RHSA-2020:3192 |