Bug 1806005 (CVE-2019-20477) - CVE-2019-20477 PyYAML: command execution through python/object/apply constructor in FullLoader
Summary: CVE-2019-20477 PyYAML: command execution through python/object/apply construc...
Keywords:
Status: NEW
Alias: CVE-2019-20477
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1807434 1806010 1806011 1806013 1810084
Blocks: 1806012
TreeView+ depends on / blocked
 
Reported: 2020-02-21 20:02 UTC by Guilherme de Almeida Suckevicz
Modified: 2020-04-25 18:20 UTC (History)
22 users (show)

Fixed In Version: pyYAML 5.2
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was discovered in the PyYAML library, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader. Applications that use the library to process untrusted input may be vulnerable to this flaw. An attacker could use this flaw to execute arbitrary code on the system by abusing the python/object/apply constructor.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Guilherme de Almeida Suckevicz 2020-02-21 20:02:23 UTC
PyYAML 5.1 through 5.1.2 has insufficient restrictions on the load and load_all functions because of a class deserialization issue, e.g., Popen is a class in the subprocess module. NOTE: this issue exists because of an incomplete fix for CVE-2017-18342.

References:
https://github.com/yaml/pyyaml/blob/master/CHANGES

Comment 1 Guilherme de Almeida Suckevicz 2020-02-21 20:04:26 UTC
Created PyYAML tracking bugs for this issue:

Affects: fedora-all [bug 1806010]


Created python2-pyyaml tracking bugs for this issue:

Affects: epel-all [bug 1806011]


Created python3-PyYAML tracking bugs for this issue:

Affects: epel-all [bug 1806013]

Comment 2 Summer Long 2020-02-24 05:04:06 UTC
RHOSP: This flaw is a result of incomplete fixes from CVE-2017-18342; the OpenStack analysis at that time still applies.
https://bugzilla.redhat.com/show_bug.cgi?id=1595743#c16

Comment 5 Riccardo Schirone 2020-02-25 10:25:16 UTC
Lowering the Impact of the flaw to Moderate as, same for CVE-2017-18342, load and load_all functions were already known to be unsafe and they should not be used with untrusted input.

Comment 6 Riccardo Schirone 2020-02-25 11:19:38 UTC
The issue is in the new Loader called FullLoader introduced in PyYAML 5.1, which was supposed to fix CVE-2017-18342. FullLoader is used by default by the yaml.load function and it was thought it was safer as explained in https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation. However, it is still possible to execute arbitrary code by using the python/object/apply constructor.

Upstream PR:
https://github.com/yaml/pyyaml/pull/347

Upstream fix:
https://github.com/yaml/pyyaml/commit/8c5e47fe62d7b9e0282a176a4b79b8b2980dc704

Comment 9 Riccardo Schirone 2020-02-25 17:18:47 UTC
Even though the CVSS is 9.8/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, the Impact of this flaw is set to Medium as `yaml.load`/`yaml.full_load` should not be used on untrusted input. When untrusted input needs to be parsed, `SafeLoader` or `yaml.safe_load` must be used instead. This has been documented for a very long time in PyYAML.

Comment 10 Riccardo Schirone 2020-02-26 10:35:37 UTC
FullLoader, which is the class where this vulnerability lies, was introduced in upstream version 5.1.
Red Hat Enterprise Linux 7 and 8 currently ship an older version of PyYAML, that does not contain the vulnerable class, so they are not affected.

Comment 12 Riccardo Schirone 2020-02-26 10:43:23 UTC
Mitigation:

Use `yaml.safe_load` or the SafeLoader loader when you parse untrusted input.

Comment 14 Jason Shepherd 2020-02-27 00:55:58 UTC
Statement:

This issue did not affect the versions of PyYAML as shipped with Red Hat Enterprise Linux 7, and 8 as they did not include the class FullLoader, which contains this vulnerability.

The PyYAML libary that is provided in the Red Hat OpenStack repositories is vulnerable. However, because there are no instances where this library is used in a way which exposes the vulnerability, the impact to OpenStack products has been reduced to 'low' and Red Hat will not be providing a fix at this time.  Any updates will be through RHEL channels.

Red Hat Quay 3.2 uses the vulnerable load function, but only to parse the Nginx configuration file, which only contains trusted data.


Note You need to log in before you can comment on or make changes to this bug.