Bug 1815212 (CVE-2020-1953)

Summary: CVE-2020-1953 apache-commons-configuration: uncontrolled class instantiation when loading YAML files
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aboyko, aileenc, akoufoud, alazarot, almorale, anstephe, asoldano, atangrin, ataylor, avibelli, bbaranow, bgeorges, bmaxwell, brian.stansberry, cdewolf, chazlett, darran.lofthouse, dblechte, dfediuck, dkreling, dosoudil, drieden, eedri, etirelli, extras-orphan, fnasser, ganandan, ggaughan, gmalinko, gvarsami, hhorak, hvyas, ibek, iweiss, janstey, java-maint, java-sig-commits, jawilson, jbalunas, jcoleman, jjelen, jochrist, jorton, jpallich, jperkins, jross, jstastny, jwon, kconner, krathod, kverlaen, kwills, ldimaggi, lgao, lthon, mgoldboi, michal.skrivanek, mizdebsk, mnovotny, msochure, msvehla, mszynkie, nwallace, paradhya, pgallagh, pjindal, pmackay, psotirop, puebele, puntogil, rgodfrey, rguimara, rrajasek, rruss, rsvoboda, rsynek, rwagner, sbonazzo, sdaley, sherold, smaestri, SpikeFedora, tcunning, tkirby, tom.jenkinson, vbellur, yturgema
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: commons-configuration 2.7 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Apache Commons Configuration, where it uses a third-party library to process YAML files, which by default, allows the instantiation of classes if the YAML includes special statements. Apache Commons Configuration versions 2.2, 2.3, 2.4, 2.5, 2.6 did not change the default settings of this library. If a YAML file was loaded from an untrusted source, it could load and execute code out of the control of the host application.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-06-25 17:20:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1815213, 1815214    
Bug Blocks: 1815216    

Description Guilherme de Almeida Suckevicz 2020-03-19 19:09:55 UTC 
Apache Commons Configuration uses a third-party library to parse YAML files which by default allows the instantiation of classes if the YAML includes special statements. Apache Commons Configuration versions 2.2, 2.3, 2.4, 2.5, 2.6 did not change the default settings of this library. So if a YAML file was loaded from an untrusted source, it could therefore load and execute code out of the control of the host application.

References:
https://lists.apache.org/thread.html/d0e00f2e147a9e9b13a6829133092f349b2882bf6860397368a52600@%3Cannounce.tomcat.apache.org%3E
https://lists.apache.org/thread.html/rde2186ad6ac0d6ed8d51af7509244adcf1ce0f9a3b7e1d1dd3b64676@%3Ccommits.camel.apache.org%3E
Comment 1 Guilherme de Almeida Suckevicz 2020-03-19 19:10:40 UTC 
Created apache-commons-configuration tracking bugs for this issue:

Affects: fedora-all [bug 1815213]


Created apache-commons-configuration2 tracking bugs for this issue:

Affects: fedora-all [bug 1815214]
Comment 2 Jonathan Christison 2020-03-23 17:02:16 UTC 
This vulnerability is out of security support scope for the following products:
 * Fuse Service Works
 * SOA Platform 5

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes
for more details.
Comment 3 Mauro Matteo Cascella 2020-03-23 17:09:40 UTC 
Statement:

Several packages are unaffected because they do not include support for YAML configurations:
* `apache-commons-configuration` as shipped with Red Hat Enterprise Linux 7
* `apache-commons-configuration` as shipped with Red Hat Enterprise Virtualization
* `rh-maven35-apache-commons-configuration` as shipped with Red Hat Software Collections
* `commons-configuration` as shipped with Red Hat Gluster Storage
Comment 4 Mauro Matteo Cascella 2020-03-23 18:26:48 UTC 
Upstream fix:
https://github.com/apache/commons-configuration/commit/add7375cf37fd316d4838c6c56b054fc293b4641
Comment 5 Ted Jongseok Won 2020-03-24 06:38:52 UTC 
External References:

https://lists.apache.org/thread.html/rde2186ad6ac0d6ed8d51af7509244adcf1ce0f9a3b7e1d1dd3b64676@%3Ccommits.camel.apache.org%3E
https://github.com/apache/commons-configuration/commit/add7375cf37fd316d4838c6c56b054fc293b4641
Comment 19 errata-xmlrpc 2020-06-25 14:14:49 UTC 
This issue has been addressed in the following products:

  Red Hat AMQ

Via RHSA-2020:2751 https://access.redhat.com/errata/RHSA-2020:2751
Comment 20 Product Security DevOps Team 2020-06-25 17:20:26 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-1953
Comment 24 Chess Hazlett 2020-07-21 20:26:47 UTC 
Mitigation:

There is currently no mitigation available for this vulnerability.
Comment 26 errata-xmlrpc 2020-07-23 15:10:21 UTC 
This issue has been addressed in the following products:

  Red Hat AMQ

Via RHSA-2020:3133 https://access.redhat.com/errata/RHSA-2020:3133
Comment 27 errata-xmlrpc 2020-07-28 15:56:08 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 7.7.0

Via RHSA-2020:3192 https://access.redhat.com/errata/RHSA-2020:3192