Bug 1860466 (CVE-2020-14343)

Summary: CVE-2020-14343 PyYAML: incomplete fix for CVE-2020-1747
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bbuckingham, bcourt, bdettelb, bkearney, btotty, cmeyers, ehelms, gblomqui, hhorak, jeckersb, jjoyce, jorton, jschluet, jsherril, j, kbasil, lhh, lpeer, lzap, mabashia, mburns, mhulan, mmccune, myarboro, nmoumoul, notting, orabin, orion, pcreech, python-maint, rchan, rjerrido, sclewis, slinaber, smcdonal, sokeeffe, TicoTimo, tomckay, torsava
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: PyYAML 5.4 Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was discovered in the PyYAML library, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. This flaw allows an attacker to execute arbitrary code on the system by abusing the python/object/new constructor. This flaw is due to an incomplete fix for CVE-2020-1747.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-06-29 16:40:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1860468, 1860469, 1860470, 1861784, 1861785, 1910657, 1941794, 1943254, 1949044, 1967303    
Bug Blocks: 1860471    

Description Guilherme de Almeida Suckevicz 2020-07-24 17:18:31 UTC 
The fix made in PyYAML for CVE-2020-1747 was not sufficient to resolve the issue.

Reference:
https://github.com/yaml/pyyaml/issues/420
Comment 1 Guilherme de Almeida Suckevicz 2020-07-24 17:34:13 UTC 
Created PyYAML tracking bugs for this issue:

Affects: fedora-all [bug 1860469]


Created python2-pyyaml tracking bugs for this issue:

Affects: epel-all [bug 1860470]


Created python3-PyYAML tracking bugs for this issue:

Affects: epel-all [bug 1860468]
Comment 2 Summer Long 2020-07-27 02:07:52 UTC 
OpenStack: set to 'notaffected' because the packaged RHOSP version (PyYAML-3.10-11.el7) doesn't have the FullLoader code (lib/yaml/loader.py and constructor.py).
Comment 6 Riccardo Schirone 2020-07-29 13:34:15 UTC 
Mitigation:

Use `yaml.safe_load` or the SafeLoader loader when you parse untrusted input.
Comment 7 Riccardo Schirone 2020-07-29 13:41:22 UTC 
FullLoader, which is the class where this vulnerability lies, was introduced in upstream version 5.1.
Comment 8 Riccardo Schirone 2020-07-29 14:24:35 UTC 
The fix for CVE-2020-1747 was to implement a blacklist that prevented some properties to be set when deserializing python objects. However, it is still possible to bypass such blacklist by carefully nesting objects.
Comment 13 Riccardo Schirone 2020-09-24 08:09:34 UTC 
Upstream opinion on the topic: https://github.com/yaml/pyyaml/issues/420#issuecomment-696752389 .
Comment 15 John Eckersberg 2021-01-15 14:15:07 UTC 
Oops sorry closed the wrong bug.

Currently getting fixed in Fedora here - https://bugzilla.redhat.com/show_bug.cgi?id=1916496

Once it goes stable I'll update the fedora CVE bug.
Comment 16 Sam Fowler 2021-01-20 01:14:25 UTC 
Upstream fix:

https://github.com/yaml/pyyaml/pull/472
Comment 22 Jason Shepherd 2021-04-16 06:02:54 UTC 
Statement:

Ansible Tower 3.7 uses affected version of PyYAML 3.12 from RHEL, but the use of load() is specified with a SafeLoader when it is called. So Ansible Tower and Ansible Engine are not affected.

Red Hat Quay, from version 3.4 uses the safe_load function which is not affected by this issue. See [1].

Even though the CVSSv3 for this flaw is 9.8, the Impact has been set to Moderate because PyYAML provides a specific method to deal with untrusted input, which is `yaml.safe_load`. `yaml.safe_load` or the SafeLoader loader should be used whenever the input YAML can be modified by a malicious user.

[1] https://github.com/quay/quay/pull/603
Comment 28 errata-xmlrpc 2021-06-29 16:01:11 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:2583 https://access.redhat.com/errata/RHSA-2021:2583
Comment 29 Product Security DevOps Team 2021-06-29 16:40:23 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-14343
Comment 30 errata-xmlrpc 2021-11-16 14:07:49 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 6.10 for RHEL 7

Via RHSA-2021:4702 https://access.redhat.com/errata/RHSA-2021:4702