Bug 2126789 (CVE-2022-25857)
Summary: | CVE-2022-25857 snakeyaml: Denial of Service due to missing nested depth limitation for collections | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Patrick Del Bello <pdelbell> |
Component: | vulnerability | Assignee: | Nobody <nobody> |
Status: | NEW --- | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | abenaiss, ahughes, aileenc, alazarot, anstephe, asoldano, ataylor, avibelli, balejosg, bbaranow, bbuckingham, bcourt, bgeorges, bmaxwell, boliveir, brian.stansberry, caswilli, cdewolf, chazlett, clement.escoffier, cmoulliard, dandread, darran.lofthouse, dffrench, didiksupriadi41, dkreling, dosoudil, ehelms, emingora, eric.wittmann, etirelli, fjansen, fjuma, fmongiar, gmalinko, gsmet, gzaronik, hamadhan, ibek, ikanello, iweiss, janstey, jaromir.capik, java-sig-commits, jburrell, jcantril, jerboaa, jnethert, jochrist, jolee, jpechane, jpoth, jrokos, jross, jschatte, jscholz, jsherril, jwon, kaycoth, kverlaen, ldemasi, lgao, lthon, lzap, martin.gieseking, mhulan, mizdebsk, mmccune, mmclaugh, mnovotny, mo, mosmerov, msochure, msvehla, mszynkie, nboldt, ngough, nmoumoul, nwallace, orabin, pantinor, pcreech, pdelbell, pdrozd, peholase, periklis, pgallagh, pjindal, pmackay, probinso, pskopek, rchan, rgodfrey, rguimara, rkieley, rruss, rstancel, rsvoboda, sbiarozk, scorneli, sdouglas, sgehwolf, smaestri, spotrh, sthorger, tom.jenkinson, tzimanyi, vkumar |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | org.yaml.snakeyaml 1.31 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found in the org.yaml.snakeyaml package. This flaw allows an attacker to cause a denial of service (DoS) due to missing nested depth limitation for collections.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | Type: | --- | |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2126841, 2126792, 2126793, 2126794, 2126842, 2128144, 2128468, 2128477, 2132647, 2132648, 2132649, 2132650, 2132653, 2132658, 2159443 | ||
Bug Blocks: | 2123794 |
Description
Patrick Del Bello
2022-09-14 12:18:14 UTC
Created snakeyaml tracking bugs for this issue: Affects: epel-all [bug 2126792] Affects: fedora-all [bug 2126793] Created texlive-base tracking bugs for this issue: Affects: fedora-all [bug 2126794] Version 0.17.1 of prometheus-jmx-exporter was released about 3 weeks ago to fix this CVE in RHEL 8. Can we get an update to this package to patch this CVE? https://github.com/prometheus/jmx_exporter/issues/734#issuecomment-1242805218 (In reply to spencer.deehring from comment #8) > Version 0.17.1 of prometheus-jmx-exporter was released about 3 weeks ago to > fix this CVE in RHEL 8. Can we get an update to this package to patch this > CVE? > > https://github.com/prometheus/jmx_exporter/issues/734#issuecomment-1242805218 A rebuild with the new snakeyaml is in progress. See bug #2128477 This issue has been addressed in the following products: Red Hat build of Eclipse Vert.x 4.3.3 Via RHSA-2022:6757 https://access.redhat.com/errata/RHSA-2022:6757 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 Via RHSA-2022:6823 https://access.redhat.com/errata/RHSA-2022:6823 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 Via RHSA-2022:6821 https://access.redhat.com/errata/RHSA-2022:6821 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 Via RHSA-2022:6822 https://access.redhat.com/errata/RHSA-2022:6822 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2022:6825 https://access.redhat.com/errata/RHSA-2022:6825 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:6820 https://access.redhat.com/errata/RHSA-2022:6820 For RHEL-8 it's downgraded to moderate because "snakeyaml" itself in RHEL 8 or RHEL-9 isn't shipped and "prometheus-jmx-exporter" is needed as build dependency. And it's not directly exploitable, hence severity marked as moderate. https://access.redhat.com/security/updates/classification/#moderate This issue has been addressed in the following products: RHINT Service Registry 2.3.0 GA Via RHSA-2022:6835 https://access.redhat.com/errata/RHSA-2022:6835 This issue has been addressed in the following products: Red Hat build of Quarkus Platform 2.7.6.SP1 Via RHSA-2022:6941 https://access.redhat.com/errata/RHSA-2022:6941 I see that package prometheus-jmx-exporter has been updated in RHEL 8 to 0.12.0-8.el8_6 as per RHSA-2022:6820. However the sub package prometheus-jmx-exporter-openjdk8 has not been updated and still contains this CVE. Are there plans to resolve this? (In reply to spencer.deehring from comment #28) > I see that package prometheus-jmx-exporter has been updated in RHEL 8 to > 0.12.0-8.el8_6 as per RHSA-2022:6820. However the sub package > prometheus-jmx-exporter-openjdk8 has not been updated and still contains > this CVE. Are there plans to resolve this? Sorry about that. This should not have happened. I'll get motions started to get relevant sub-package builds pushed as well. Appropriate root-cause analysis is ongoing why this happened in the first place. Thanks for letting us know! (In reply to spencer.deehring from comment #28) > I see that package prometheus-jmx-exporter has been updated in RHEL 8 to > 0.12.0-8.el8_6 as per RHSA-2022:6820. However the sub package > prometheus-jmx-exporter-openjdk8 has not been updated and still contains > this CVE. Are there plans to resolve this? This should be fixed now: [root@f3e8264d55a2 /]# dnf install prometheus-jmx-exporter-openjdk8 Updating Subscription Management repositories. Unable to read consumer identity This system is not registered with an entitlement server. You can use subscription-manager to register. Red Hat Universal Base Image 8 (RPMs) - BaseOS 2.2 MB/s | 811 kB 00:00 Red Hat Universal Base Image 8 (RPMs) - AppStream 6.1 MB/s | 3.0 MB 00:00 Red Hat Universal Base Image 8 (RPMs) - CodeReady Builder 119 kB/s | 20 kB 00:00 Dependencies resolved. ============================================================================================================================================================================================================================================== Package Architecture Version Repository Size ============================================================================================================================================================================================================================================== Installing: prometheus-jmx-exporter-openjdk8 noarch 0.12.0-8.el8_6 ubi-8-appstream-rpms 8.3 k Installing dependencies: avahi-libs x86_64 0.7-20.el8 ubi-8-baseos-rpms 62 k copy-jdk-configs noarch 4.0-2.el8 ubi-8-appstream-rpms 31 k cups-libs x86_64 1:2.2.6-45.el8_6.2 ubi-8-baseos-rpms 435 k freetype x86_64 2.9.1-4.el8_3.1 ubi-8-baseos-rpms 394 k java-1.8.0-openjdk-headless x86_64 1:1.8.0.352.b08-2.el8_6 ubi-8-appstream-rpms 34 M javapackages-filesystem noarch 5.3.0-1.module+el8+2447+6f56d9a6 ubi-8-appstream-rpms 30 k libjpeg-turbo x86_64 1.5.3-12.el8 ubi-8-appstream-rpms 157 k libpng x86_64 2:1.6.34-5.el8 ubi-8-baseos-rpms 126 k lksctp-tools x86_64 1.0.18-3.el8 ubi-8-baseos-rpms 100 k lua x86_64 5.3.4-12.el8 ubi-8-appstream-rpms 192 k nspr x86_64 4.34.0-3.el8_6 ubi-8-appstream-rpms 143 k nss x86_64 3.79.0-10.el8_6 ubi-8-appstream-rpms 747 k nss-softokn x86_64 3.79.0-10.el8_6 ubi-8-appstream-rpms 1.2 M nss-softokn-freebl x86_64 3.79.0-10.el8_6 ubi-8-appstream-rpms 398 k nss-sysinit x86_64 3.79.0-10.el8_6 ubi-8-appstream-rpms 75 k nss-util x86_64 3.79.0-10.el8_6 ubi-8-appstream-rpms 139 k prometheus-jmx-exporter noarch 0.12.0-8.el8_6 ubi-8-appstream-rpms 486 k tzdata-java noarch 2022e-1.el8 ubi-8-appstream-rpms 186 k Enabling module streams: javapackages-runtime 201801 Transaction Summary ============================================================================================================================================================================================================================================== Install 19 Packages Total download size: 39 M Installed size: 129 M Is this ok [y/N]: n This issue has been addressed in the following products: Red Hat Data Grid 8.4.0 Via RHSA-2022:8524 https://access.redhat.com/errata/RHSA-2022:8524 This issue has been addressed in the following products: Red Hat Fuse 7.11.1 Via RHSA-2022:8652 https://access.redhat.com/errata/RHSA-2022:8652 This issue has been addressed in the following products: Red Hat JBoss AMQ Via RHSA-2022:8876 https://access.redhat.com/errata/RHSA-2022:8876 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.10 Via RHSA-2023:0560 https://access.redhat.com/errata/RHSA-2023:0560 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.9 Via RHSA-2023:0777 https://access.redhat.com/errata/RHSA-2023:0777 This issue has been addressed in the following products: Red Hat Single Sign-On 7.6 for RHEL 7 Via RHSA-2023:1043 https://access.redhat.com/errata/RHSA-2023:1043 This issue has been addressed in the following products: Red Hat Single Sign-On 7.6 for RHEL 8 Via RHSA-2023:1044 https://access.redhat.com/errata/RHSA-2023:1044 This issue has been addressed in the following products: Red Hat Single Sign-On 7.6 for RHEL 9 Via RHSA-2023:1045 https://access.redhat.com/errata/RHSA-2023:1045 This issue has been addressed in the following products: RHEL-8 based Middleware Containers Via RHSA-2023:1047 https://access.redhat.com/errata/RHSA-2023:1047 This issue has been addressed in the following products: Red Hat Single Sign-On Via RHSA-2023:1049 https://access.redhat.com/errata/RHSA-2023:1049 This issue has been addressed in the following products: Red Hat Satellite 6.13 for RHEL 8 Via RHSA-2023:2097 https://access.redhat.com/errata/RHSA-2023:2097 This issue has been addressed in the following products: RHINT Camel-Springboot 3.20.1 Via RHSA-2023:2100 https://access.redhat.com/errata/RHSA-2023:2100 This issue has been addressed in the following products: OpenShift Developer Tools and Services for OCP 4.11 Via RHSA-2023:3198 https://access.redhat.com/errata/RHSA-2023:3198 This issue has been addressed in the following products: RHINT Camel-Springboot 3.18.3.P2 Via RHSA-2023:3641 https://access.redhat.com/errata/RHSA-2023:3641 This issue has been addressed in the following products: RHPAM 7.13.4 async Via RHSA-2023:4983 https://access.redhat.com/errata/RHSA-2023:4983 This issue has been addressed in the following products: OpenShift Developer Tools and Services for OCP 4.13 Via RHSA-2023:6179 https://access.redhat.com/errata/RHSA-2023:6179 This issue has been addressed in the following products: OpenShift Developer Tools and Services for OCP 4.14 Via RHSA-2023:7288 https://access.redhat.com/errata/RHSA-2023:7288 This issue has been addressed in the following products: AMQ Clients 3.y for RHEL 8 AMQ Clients 3.y for RHEL 9 Via RHSA-2023:7697 https://access.redhat.com/errata/RHSA-2023:7697 This issue has been addressed in the following products: OpenShift Developer Tools and Services for OCP 4.13 Via RHSA-2024:0776 https://access.redhat.com/errata/RHSA-2024:0776 This issue has been addressed in the following products: OpenShift Developer Tools and Services for OCP 4.14 Via RHSA-2024:0777 https://access.redhat.com/errata/RHSA-2024:0777 This issue has been addressed in the following products: OpenShift Developer Tools and Services for OCP 4.12 Via RHSA-2024:0778 https://access.redhat.com/errata/RHSA-2024:0778 |