Bug 2034388 (CVE-2021-4178)

Summary: CVE-2021-4178 kubernetes-client: Insecure deserialization in unmarshalYaml method
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abenaiss, aileenc, akoufoud, alazarot, anstephe, avibelli, bgeorges, bibryam, caswilli, chazlett, clement.escoffier, cmoulliard, dandread, dkreling, drieden, ellin, etirelli, ggastald, ggaughan, gmalinko, gsmet, hamadhan, hbraun, ibek, ikanello, janstey, jnethert, jochrist, jpallich, jrokos, jross, jstastny, jwon, kaycoth, krathod, kverlaen, lthon, mnovotny, mszynkie, pantinor, pdelbell, peholase, pgallagh, pjindal, probinso, rrajasek, rruss, rsvoboda, sbiarozk, scorneli, sdouglas, security-response-team, shbose, swoodman, tzimanyi
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kubernetes-client-5.0.3, kubernetes-client-5.1.2, kubernetes-client-5.3.2, kubernetes-client-5.4.2, kubernetes-client-5.7.4, kubernetes-client-5.8.1, kubernetes-client-5.11.2 Doc Type: If docs needed, set a value
Doc Text:
A arbitrary code execution flaw was found in the Fabric 8 Kubernetes client affecting versions 5.0.0-beta-1 and above. Due to an improperly configured YAML parsing, this will allow a local and privileged attacker to supply malicious YAML.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-03-02 21:50:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: Embargoed2034391    

Description Pedro Sampaio 2021-12-20 19:23:08 UTC 
A flaw was found in kubernetes-client. An insecure deserialization issue due to the use of the SnakeYAML library may lead to arbitrary code execution.

References:

https://github.com/fabric8io/kubernetes-client/issues/3653
Comment 13 errata-xmlrpc 2022-02-08 12:52:42 UTC 
This issue has been addressed in the following products:

  Red Hat AMQ Streams 1.6.7

Via RHSA-2022:0467 https://access.redhat.com/errata/RHSA-2022:0467
Comment 14 errata-xmlrpc 2022-02-08 13:56:57 UTC 
This issue has been addressed in the following products:

  Red Hat AMQ Streams 2.0.1

Via RHSA-2022:0469 https://access.redhat.com/errata/RHSA-2022:0469
Comment 15 errata-xmlrpc 2022-02-21 18:23:37 UTC 
This issue has been addressed in the following products:

  Red Hat build of Quarkus 2.2.5

Via RHSA-2022:0589 https://access.redhat.com/errata/RHSA-2022:0589
Comment 16 Product Security DevOps Team 2022-03-02 21:50:38 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-4178
Comment 17 errata-xmlrpc 2022-03-22 15:35:15 UTC 
This issue has been addressed in the following products:

  RHINT Camel-Q 2.2.1

Via RHSA-2022:1013 https://access.redhat.com/errata/RHSA-2022:1013
Comment 18 errata-xmlrpc 2022-07-07 14:21:44 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 7.11

Via RHSA-2022:5532 https://access.redhat.com/errata/RHSA-2022:5532
Comment 20 errata-xmlrpc 2022-12-14 13:17:24 UTC 
This issue has been addressed in the following products:

  Red Hat Openshift Application Runtimes

Via RHSA-2022:8761 https://access.redhat.com/errata/RHSA-2022:8761
Comment 22 errata-xmlrpc 2023-05-24 17:10:40 UTC 
This issue has been addressed in the following products:

  OpenShift Developer Tools and Services for OCP 4.13

Via RHSA-2023:3299 https://access.redhat.com/errata/RHSA-2023:3299