PyYAML 5.1 through 5.1.2 has insufficient restrictions on the load and load_all functions because of a class deserialization issue, e.g., Popen is a class in the subprocess module. NOTE: this issue exists because of an incomplete fix for CVE-2017-18342. References: https://github.com/yaml/pyyaml/blob/master/CHANGES
Created PyYAML tracking bugs for this issue: Affects: fedora-all [bug 1806010] Created python2-pyyaml tracking bugs for this issue: Affects: epel-all [bug 1806011] Created python3-PyYAML tracking bugs for this issue: Affects: epel-all [bug 1806013]
RHOSP: This flaw is a result of incomplete fixes from CVE-2017-18342; the OpenStack analysis at that time still applies. https://bugzilla.redhat.com/show_bug.cgi?id=1595743#c16
Lowering the Impact of the flaw to Moderate as, same for CVE-2017-18342, load and load_all functions were already known to be unsafe and they should not be used with untrusted input.
The issue is in the new Loader called FullLoader introduced in PyYAML 5.1, which was supposed to fix CVE-2017-18342. FullLoader is used by default by the yaml.load function and it was thought it was safer as explained in https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation. However, it is still possible to execute arbitrary code by using the python/object/apply constructor. Upstream PR: https://github.com/yaml/pyyaml/pull/347 Upstream fix: https://github.com/yaml/pyyaml/commit/8c5e47fe62d7b9e0282a176a4b79b8b2980dc704
Even though the CVSS is 9.8/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, the Impact of this flaw is set to Medium as `yaml.load`/`yaml.full_load` should not be used on untrusted input. When untrusted input needs to be parsed, `SafeLoader` or `yaml.safe_load` must be used instead. This has been documented for a very long time in PyYAML.
FullLoader, which is the class where this vulnerability lies, was introduced in upstream version 5.1. Red Hat Enterprise Linux 7 and 8 currently ship an older version of PyYAML, that does not contain the vulnerable class, so they are not affected.
Mitigation: Use `yaml.safe_load` or the SafeLoader loader when you parse untrusted input.
Statement: This issue did not affect the versions of PyYAML as shipped with Red Hat Enterprise Linux 7, and 8 as they did not include the class FullLoader, which contains this vulnerability. The PyYAML libary that is provided in the Red Hat OpenStack repositories is vulnerable. However, because there are no instances where this library is used in a way which exposes the vulnerability, the impact to OpenStack products has been reduced to 'low' and Red Hat will not be providing a fix at this time. Any updates will be through RHEL channels. Red Hat Quay 3.2 uses the vulnerable load function, but only to parse the Nginx configuration file, which only contains trusted data.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-20477
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4641 https://access.redhat.com/errata/RHSA-2020:4641
This issue has been addressed in the following products: Red Hat Quay 3 Via RHSA-2021:0420 https://access.redhat.com/errata/RHSA-2021:0420