Bug 1815212 (CVE-2020-1953) - CVE-2020-1953 apache-commons-configuration: uncontrolled class instantiation when loading YAML files
Summary: CVE-2020-1953 apache-commons-configuration: uncontrolled class instantiation ...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-1953
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1815213 1815214
Blocks: 1815216
TreeView+ depends on / blocked
 
Reported: 2020-03-19 19:09 UTC by Guilherme de Almeida Suckevicz
Modified: 2021-02-16 20:27 UTC (History)
87 users (show)

Fixed In Version: commons-configuration 2.7
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Apache Commons Configuration, where it uses a third-party library to process YAML files, which by default, allows the instantiation of classes if the YAML includes special statements. Apache Commons Configuration versions 2.2, 2.3, 2.4, 2.5, 2.6 did not change the default settings of this library. If a YAML file was loaded from an untrusted source, it could load and execute code out of the control of the host application.
Clone Of:
Environment:
Last Closed: 2020-06-25 17:20:26 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:2751 0 None None None 2020-06-25 14:14:53 UTC
Red Hat Product Errata RHSA-2020:3133 0 None None None 2020-07-23 15:10:26 UTC
Red Hat Product Errata RHSA-2020:3192 0 None None None 2020-07-28 15:56:13 UTC

Description Guilherme de Almeida Suckevicz 2020-03-19 19:09:55 UTC
Apache Commons Configuration uses a third-party library to parse YAML files which by default allows the instantiation of classes if the YAML includes special statements. Apache Commons Configuration versions 2.2, 2.3, 2.4, 2.5, 2.6 did not change the default settings of this library. So if a YAML file was loaded from an untrusted source, it could therefore load and execute code out of the control of the host application.

References:
https://lists.apache.org/thread.html/d0e00f2e147a9e9b13a6829133092f349b2882bf6860397368a52600@%3Cannounce.tomcat.apache.org%3E
https://lists.apache.org/thread.html/rde2186ad6ac0d6ed8d51af7509244adcf1ce0f9a3b7e1d1dd3b64676@%3Ccommits.camel.apache.org%3E

Comment 1 Guilherme de Almeida Suckevicz 2020-03-19 19:10:40 UTC
Created apache-commons-configuration tracking bugs for this issue:

Affects: fedora-all [bug 1815213]


Created apache-commons-configuration2 tracking bugs for this issue:

Affects: fedora-all [bug 1815214]

Comment 2 Jonathan Christison 2020-03-23 17:02:16 UTC
This vulnerability is out of security support scope for the following products:
 * Fuse Service Works
 * SOA Platform 5

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes
for more details.

Comment 3 Mauro Matteo Cascella 2020-03-23 17:09:40 UTC
Statement:

Several packages are unaffected because they do not include support for YAML configurations:
* `apache-commons-configuration` as shipped with Red Hat Enterprise Linux 7
* `apache-commons-configuration` as shipped with Red Hat Enterprise Virtualization
* `rh-maven35-apache-commons-configuration` as shipped with Red Hat Software Collections
* `commons-configuration` as shipped with Red Hat Gluster Storage

Comment 19 errata-xmlrpc 2020-06-25 14:14:49 UTC
This issue has been addressed in the following products:

  Red Hat AMQ

Via RHSA-2020:2751 https://access.redhat.com/errata/RHSA-2020:2751

Comment 20 Product Security DevOps Team 2020-06-25 17:20:26 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-1953

Comment 24 Chess Hazlett 2020-07-21 20:26:47 UTC
Mitigation:

There is currently no mitigation available for this vulnerability.

Comment 26 errata-xmlrpc 2020-07-23 15:10:21 UTC
This issue has been addressed in the following products:

  Red Hat AMQ

Via RHSA-2020:3133 https://access.redhat.com/errata/RHSA-2020:3133

Comment 27 errata-xmlrpc 2020-07-28 15:56:08 UTC
This issue has been addressed in the following products:

  Red Hat Fuse 7.7.0

Via RHSA-2020:3192 https://access.redhat.com/errata/RHSA-2020:3192


Note You need to log in before you can comment on or make changes to this bug.