Bug 2126789 (CVE-2022-25857)

Summary: CVE-2022-25857 snakeyaml: Denial of Service due to missing nested depth limitation for collections
Product: [Other] Security Response Reporter: Patrick Del Bello <pdelbell>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: abenaiss, ahughes, aileenc, alazarot, anstephe, asoldano, ataylor, avibelli, balejosg, bbaranow, bbuckingham, bcourt, bgeorges, bmaxwell, boliveir, brian.stansberry, caswilli, cdewolf, chazlett, clement.escoffier, cmoulliard, dandread, darran.lofthouse, dffrench, didiksupriadi41, dkreling, dosoudil, ehelms, emingora, eric.wittmann, etirelli, fjansen, fjuma, fmongiar, gmalinko, gsmet, gzaronik, hamadhan, ibek, ikanello, iweiss, janstey, jaromir.capik, java-sig-commits, jburrell, jcantril, jerboaa, jnethert, jochrist, jolee, jpechane, jpoth, jrokos, jross, jschatte, jscholz, jsherril, jwon, kaycoth, kverlaen, ldemasi, lgao, lthon, lzap, martin.gieseking, mhulan, mizdebsk, mmccune, mmclaugh, mnovotny, mo, mosmerov, msochure, msvehla, mszynkie, nboldt, ngough, nmoumoul, nwallace, orabin, pantinor, pcreech, pdelbell, pdrozd, peholase, periklis, pgallagh, pjindal, pmackay, probinso, pskopek, rchan, rgodfrey, rguimara, rkieley, rruss, rstancel, rsvoboda, sbiarozk, scorneli, sdouglas, sgehwolf, smaestri, spotrh, sthorger, tom.jenkinson, tzimanyi, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: org.yaml.snakeyaml 1.31 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the org.yaml.snakeyaml package. This flaw allows an attacker to cause a denial of service (DoS) due to missing nested depth limitation for collections.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2126841, 2126792, 2126793, 2126794, 2126842, 2128144, 2128468, 2128477, 2132647, 2132648, 2132649, 2132650, 2132653, 2132658, 2159443    
Bug Blocks: 2123794    

Description Patrick Del Bello 2022-09-14 12:18:14 UTC
The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.

Comment 1 Patrick Del Bello 2022-09-14 12:37:19 UTC
Created snakeyaml tracking bugs for this issue:

Affects: epel-all [bug 2126792]
Affects: fedora-all [bug 2126793]


Created texlive-base tracking bugs for this issue:

Affects: fedora-all [bug 2126794]

Comment 8 spencer.deehring 2022-09-28 16:04:23 UTC
Version 0.17.1 of prometheus-jmx-exporter was released about 3 weeks ago to fix this CVE in RHEL 8. Can we get an update to this package to patch this CVE?

https://github.com/prometheus/jmx_exporter/issues/734#issuecomment-1242805218

Comment 9 Andrew John Hughes 2022-09-28 16:07:33 UTC
(In reply to spencer.deehring from comment #8)
> Version 0.17.1 of prometheus-jmx-exporter was released about 3 weeks ago to
> fix this CVE in RHEL 8. Can we get an update to this package to patch this
> CVE?
> 
> https://github.com/prometheus/jmx_exporter/issues/734#issuecomment-1242805218

A rebuild with the new snakeyaml is in progress. See bug #2128477

Comment 15 errata-xmlrpc 2022-10-05 14:50:16 UTC
This issue has been addressed in the following products:

  Red Hat build of Eclipse Vert.x 4.3.3

Via RHSA-2022:6757 https://access.redhat.com/errata/RHSA-2022:6757

Comment 16 errata-xmlrpc 2022-10-05 16:32:41 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9

Via RHSA-2022:6823 https://access.redhat.com/errata/RHSA-2022:6823

Comment 17 errata-xmlrpc 2022-10-05 16:35:04 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7

Via RHSA-2022:6821 https://access.redhat.com/errata/RHSA-2022:6821

Comment 18 errata-xmlrpc 2022-10-05 16:39:23 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8

Via RHSA-2022:6822 https://access.redhat.com/errata/RHSA-2022:6822

Comment 19 errata-xmlrpc 2022-10-05 16:47:05 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2022:6825 https://access.redhat.com/errata/RHSA-2022:6825

Comment 20 errata-xmlrpc 2022-10-06 07:35:42 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:6820 https://access.redhat.com/errata/RHSA-2022:6820

Comment 21 Sandipan Roy 2022-10-06 09:44:54 UTC
For RHEL-8 it's downgraded to moderate because "snakeyaml" itself in RHEL 8 or RHEL-9 isn't shipped and "prometheus-jmx-exporter" is needed as build dependency. And it's not directly exploitable, hence severity marked as moderate. 

https://access.redhat.com/security/updates/classification/#moderate

Comment 24 errata-xmlrpc 2022-10-06 12:28:27 UTC
This issue has been addressed in the following products:

  RHINT Service Registry 2.3.0 GA

Via RHSA-2022:6835 https://access.redhat.com/errata/RHSA-2022:6835

Comment 27 errata-xmlrpc 2022-10-13 11:14:37 UTC
This issue has been addressed in the following products:

  Red Hat build of Quarkus Platform 2.7.6.SP1

Via RHSA-2022:6941 https://access.redhat.com/errata/RHSA-2022:6941

Comment 28 spencer.deehring 2022-10-14 18:23:39 UTC
I see that package prometheus-jmx-exporter has been updated in RHEL 8 to 0.12.0-8.el8_6 as per RHSA-2022:6820. However the sub package prometheus-jmx-exporter-openjdk8 has not been updated and still contains this CVE. Are there plans to resolve this?

Comment 29 Severin Gehwolf 2022-10-17 08:48:45 UTC
(In reply to spencer.deehring from comment #28)
> I see that package prometheus-jmx-exporter has been updated in RHEL 8 to
> 0.12.0-8.el8_6 as per RHSA-2022:6820. However the sub package
> prometheus-jmx-exporter-openjdk8 has not been updated and still contains
> this CVE. Are there plans to resolve this?

Sorry about that. This should not have happened. I'll get motions started to get relevant sub-package builds pushed as well. Appropriate root-cause analysis is ongoing why this happened in the first place. Thanks for letting us know!

Comment 31 Severin Gehwolf 2022-10-24 13:13:25 UTC
(In reply to spencer.deehring from comment #28)
> I see that package prometheus-jmx-exporter has been updated in RHEL 8 to
> 0.12.0-8.el8_6 as per RHSA-2022:6820. However the sub package
> prometheus-jmx-exporter-openjdk8 has not been updated and still contains
> this CVE. Are there plans to resolve this?

This should be fixed now:

[root@f3e8264d55a2 /]# dnf install prometheus-jmx-exporter-openjdk8
Updating Subscription Management repositories.
Unable to read consumer identity

This system is not registered with an entitlement server. You can use subscription-manager to register.

Red Hat Universal Base Image 8 (RPMs) - BaseOS                                                                                                                                                                2.2 MB/s | 811 kB     00:00    
Red Hat Universal Base Image 8 (RPMs) - AppStream                                                                                                                                                             6.1 MB/s | 3.0 MB     00:00    
Red Hat Universal Base Image 8 (RPMs) - CodeReady Builder                                                                                                                                                     119 kB/s |  20 kB     00:00    
Dependencies resolved.
==============================================================================================================================================================================================================================================
 Package                                                            Architecture                             Version                                                             Repository                                              Size
==============================================================================================================================================================================================================================================
Installing:
 prometheus-jmx-exporter-openjdk8                                   noarch                                   0.12.0-8.el8_6                                                      ubi-8-appstream-rpms                                   8.3 k
Installing dependencies:
 avahi-libs                                                         x86_64                                   0.7-20.el8                                                          ubi-8-baseos-rpms                                       62 k
 copy-jdk-configs                                                   noarch                                   4.0-2.el8                                                           ubi-8-appstream-rpms                                    31 k
 cups-libs                                                          x86_64                                   1:2.2.6-45.el8_6.2                                                  ubi-8-baseos-rpms                                      435 k
 freetype                                                           x86_64                                   2.9.1-4.el8_3.1                                                     ubi-8-baseos-rpms                                      394 k
 java-1.8.0-openjdk-headless                                        x86_64                                   1:1.8.0.352.b08-2.el8_6                                             ubi-8-appstream-rpms                                    34 M
 javapackages-filesystem                                            noarch                                   5.3.0-1.module+el8+2447+6f56d9a6                                    ubi-8-appstream-rpms                                    30 k
 libjpeg-turbo                                                      x86_64                                   1.5.3-12.el8                                                        ubi-8-appstream-rpms                                   157 k
 libpng                                                             x86_64                                   2:1.6.34-5.el8                                                      ubi-8-baseos-rpms                                      126 k
 lksctp-tools                                                       x86_64                                   1.0.18-3.el8                                                        ubi-8-baseos-rpms                                      100 k
 lua                                                                x86_64                                   5.3.4-12.el8                                                        ubi-8-appstream-rpms                                   192 k
 nspr                                                               x86_64                                   4.34.0-3.el8_6                                                      ubi-8-appstream-rpms                                   143 k
 nss                                                                x86_64                                   3.79.0-10.el8_6                                                     ubi-8-appstream-rpms                                   747 k
 nss-softokn                                                        x86_64                                   3.79.0-10.el8_6                                                     ubi-8-appstream-rpms                                   1.2 M
 nss-softokn-freebl                                                 x86_64                                   3.79.0-10.el8_6                                                     ubi-8-appstream-rpms                                   398 k
 nss-sysinit                                                        x86_64                                   3.79.0-10.el8_6                                                     ubi-8-appstream-rpms                                    75 k
 nss-util                                                           x86_64                                   3.79.0-10.el8_6                                                     ubi-8-appstream-rpms                                   139 k
 prometheus-jmx-exporter                                            noarch                                   0.12.0-8.el8_6                                                      ubi-8-appstream-rpms                                   486 k
 tzdata-java                                                        noarch                                   2022e-1.el8                                                         ubi-8-appstream-rpms                                   186 k
Enabling module streams:
 javapackages-runtime                                                                                        201801                                                                                                                          

Transaction Summary
==============================================================================================================================================================================================================================================
Install  19 Packages

Total download size: 39 M
Installed size: 129 M
Is this ok [y/N]: n

Comment 35 errata-xmlrpc 2022-11-17 13:40:21 UTC
This issue has been addressed in the following products:

  Red Hat Data Grid 8.4.0

Via RHSA-2022:8524 https://access.redhat.com/errata/RHSA-2022:8524

Comment 37 errata-xmlrpc 2022-11-28 14:40:02 UTC
This issue has been addressed in the following products:

  Red Hat Fuse 7.11.1

Via RHSA-2022:8652 https://access.redhat.com/errata/RHSA-2022:8652

Comment 38 errata-xmlrpc 2022-12-07 08:19:46 UTC
This issue has been addressed in the following products:

  Red Hat JBoss AMQ

Via RHSA-2022:8876 https://access.redhat.com/errata/RHSA-2022:8876

Comment 43 errata-xmlrpc 2023-02-08 18:38:26 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.10

Via RHSA-2023:0560 https://access.redhat.com/errata/RHSA-2023:0560

Comment 44 errata-xmlrpc 2023-02-22 23:59:02 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.9

Via RHSA-2023:0777 https://access.redhat.com/errata/RHSA-2023:0777

Comment 45 errata-xmlrpc 2023-03-01 21:43:00 UTC
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 7

Via RHSA-2023:1043 https://access.redhat.com/errata/RHSA-2023:1043

Comment 46 errata-xmlrpc 2023-03-01 21:45:27 UTC
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 8

Via RHSA-2023:1044 https://access.redhat.com/errata/RHSA-2023:1044

Comment 47 errata-xmlrpc 2023-03-01 21:47:58 UTC
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 9

Via RHSA-2023:1045 https://access.redhat.com/errata/RHSA-2023:1045

Comment 48 errata-xmlrpc 2023-03-01 21:50:45 UTC
This issue has been addressed in the following products:

  RHEL-8 based Middleware Containers

Via RHSA-2023:1047 https://access.redhat.com/errata/RHSA-2023:1047

Comment 49 errata-xmlrpc 2023-03-01 21:58:55 UTC
This issue has been addressed in the following products:

  Red Hat Single Sign-On

Via RHSA-2023:1049 https://access.redhat.com/errata/RHSA-2023:1049

Comment 53 errata-xmlrpc 2023-05-03 13:19:31 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 6.13 for RHEL 8

Via RHSA-2023:2097 https://access.redhat.com/errata/RHSA-2023:2097

Comment 54 errata-xmlrpc 2023-05-03 14:05:33 UTC
This issue has been addressed in the following products:

  RHINT Camel-Springboot 3.20.1

Via RHSA-2023:2100 https://access.redhat.com/errata/RHSA-2023:2100

Comment 59 errata-xmlrpc 2023-05-17 17:50:37 UTC
This issue has been addressed in the following products:

  OpenShift Developer Tools and Services for OCP 4.11

Via RHSA-2023:3198 https://access.redhat.com/errata/RHSA-2023:3198

Comment 60 errata-xmlrpc 2023-06-15 15:23:50 UTC
This issue has been addressed in the following products:

  RHINT Camel-Springboot 3.18.3.P2

Via RHSA-2023:3641 https://access.redhat.com/errata/RHSA-2023:3641

Comment 63 errata-xmlrpc 2023-09-05 18:37:06 UTC
This issue has been addressed in the following products:

  RHPAM 7.13.4 async

Via RHSA-2023:4983 https://access.redhat.com/errata/RHSA-2023:4983

Comment 65 errata-xmlrpc 2023-10-30 12:34:57 UTC
This issue has been addressed in the following products:

  OpenShift Developer Tools and Services for OCP 4.13

Via RHSA-2023:6179 https://access.redhat.com/errata/RHSA-2023:6179

Comment 66 errata-xmlrpc 2023-11-15 19:24:28 UTC
This issue has been addressed in the following products:

  OpenShift Developer Tools and Services for OCP 4.14

Via RHSA-2023:7288 https://access.redhat.com/errata/RHSA-2023:7288

Comment 67 errata-xmlrpc 2023-12-07 13:42:00 UTC
This issue has been addressed in the following products:

  AMQ Clients 3.y for RHEL 8
  AMQ Clients 3.y for RHEL 9

Via RHSA-2023:7697 https://access.redhat.com/errata/RHSA-2023:7697

Comment 69 errata-xmlrpc 2024-02-12 10:23:50 UTC
This issue has been addressed in the following products:

  OpenShift Developer Tools and Services for OCP 4.13

Via RHSA-2024:0776 https://access.redhat.com/errata/RHSA-2024:0776

Comment 70 errata-xmlrpc 2024-02-12 10:25:07 UTC
This issue has been addressed in the following products:

  OpenShift Developer Tools and Services for OCP 4.14

Via RHSA-2024:0777 https://access.redhat.com/errata/RHSA-2024:0777

Comment 71 errata-xmlrpc 2024-02-12 10:36:35 UTC
This issue has been addressed in the following products:

  OpenShift Developer Tools and Services for OCP 4.12

Via RHSA-2024:0778 https://access.redhat.com/errata/RHSA-2024:0778