Bug 2150009 (CVE-2022-1471) - CVE-2022-1471 SnakeYaml: Constructor Deserialization Remote Code Execution
Summary: CVE-2022-1471 SnakeYaml: Constructor Deserialization Remote Code Execution
Keywords:
Status: NEW
Alias: CVE-2022-1471
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2272329 2272330 2272331 2132658 2150037 2150038 2150039 2150040 2150041 2150042 2150044 2150047 2150048 2150049 2150365 2150366 2150367 2150368 2150369 2150370 2151074 2151075 2151076 2151077 2151078 2151079 2151080 2151081 2159443
Blocks: 2150008
TreeView+ depends on / blocked
 
Reported: 2022-12-01 15:28 UTC by Marco Benatto
Modified: 2024-07-20 08:28 UTC (History)
103 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the SnakeYaml package. This flaw allows an attacker to benefit from remote code execution by sending malicious YAML content and this content being deserialized by the constructor. Deserialization is unsafe and leads to Remote Code Execution (RCE).
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2023:0009 0 None None None 2023-01-02 08:33:50 UTC
Red Hat Product Errata RHBA-2023:0010 0 None None None 2023-01-02 09:06:29 UTC
Red Hat Product Errata RHBA-2023:0036 0 None None None 2023-01-05 14:14:46 UTC
Red Hat Product Errata RHBA-2023:0156 0 None None None 2023-01-12 15:43:37 UTC
Red Hat Product Errata RHBA-2023:1378 0 None None None 2023-03-21 14:41:44 UTC
Red Hat Product Errata RHSA-2022:9032 0 None None None 2022-12-15 12:40:01 UTC
Red Hat Product Errata RHSA-2022:9058 0 None None None 2022-12-15 15:25:42 UTC
Red Hat Product Errata RHSA-2023:0697 0 None None None 2023-02-15 15:43:39 UTC
Red Hat Product Errata RHSA-2023:0758 0 None None None 2023-02-14 12:12:05 UTC
Red Hat Product Errata RHSA-2023:0777 0 None None None 2023-02-22 23:59:28 UTC
Red Hat Product Errata RHSA-2023:1006 0 None None None 2023-03-08 14:55:16 UTC
Red Hat Product Errata RHSA-2023:1043 0 None None None 2023-03-01 21:43:53 UTC
Red Hat Product Errata RHSA-2023:1044 0 None None None 2023-03-01 21:46:22 UTC
Red Hat Product Errata RHSA-2023:1045 0 None None None 2023-03-01 21:48:50 UTC
Red Hat Product Errata RHSA-2023:1047 0 None None None 2023-03-01 21:51:33 UTC
Red Hat Product Errata RHSA-2023:1049 0 None None None 2023-03-01 21:59:49 UTC
Red Hat Product Errata RHSA-2023:1512 0 None None None 2023-03-29 11:44:08 UTC
Red Hat Product Errata RHSA-2023:1513 0 None None None 2023-03-29 11:42:22 UTC
Red Hat Product Errata RHSA-2023:1514 0 None None None 2023-03-29 11:40:55 UTC
Red Hat Product Errata RHSA-2023:1516 0 None None None 2023-03-29 11:45:57 UTC
Red Hat Product Errata RHSA-2023:2097 0 None None None 2023-05-03 13:20:09 UTC
Red Hat Product Errata RHSA-2023:3198 0 None None None 2023-05-17 17:51:07 UTC
Red Hat Product Errata RHSA-2023:4612 0 None None None 2023-08-16 10:56:09 UTC
Red Hat Product Errata RHSA-2023:5165 0 None None None 2023-09-14 09:52:14 UTC
Red Hat Product Errata RHSA-2023:7697 0 None None None 2023-12-07 13:42:09 UTC
Red Hat Product Errata RHSA-2024:0325 0 None None None 2024-01-22 18:09:50 UTC
Red Hat Product Errata RHSA-2024:0775 0 None None None 2024-02-12 10:43:44 UTC
Red Hat Product Errata RHSA-2024:1353 0 None None None 2024-03-18 09:48:07 UTC

Description Marco Benatto 2022-12-01 15:28:10 UTC
SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization.

Comment 10 errata-xmlrpc 2022-12-15 12:39:57 UTC
This issue has been addressed in the following products:

  Red Hat build of Eclipse Vert.x 4.3.4

Via RHSA-2022:9032 https://access.redhat.com/errata/RHSA-2022:9032

Comment 11 errata-xmlrpc 2022-12-15 15:25:38 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:9058 https://access.redhat.com/errata/RHSA-2022:9058

Comment 18 ops-paas-redhat-d 2023-01-06 10:22:58 UTC
Hello, when can we expect to see an update for Rhel 8.6 EUS since the rating is "Important Impact" ?

Comment 19 Nick Boldt 2023-01-10 01:31:07 UTC
In which version of snakeyaml is the bug, and in which version can we expect the fix? 

Asking be cause the prodsec tools recently generated 12 JIRAs about snakeyaml but there's no information in here about versions. :( 

https://issues.redhat.com/browse/CRW-3658?filter=12405213&jql=project%20%3D%20CRW%20AND%20component%20%3D%20%22productization%3A%20security%20%26%20legal%22%20AND%20labels%20%3D%20SecurityTracking%20AND%20resolution%20is%20EMPTY%20and%20text%20~%20snakeyaml

Comment 23 errata-xmlrpc 2023-02-14 12:12:00 UTC
This issue has been addressed in the following products:

  Red Hat build of Quarkus

Via RHSA-2023:0758 https://access.redhat.com/errata/RHSA-2023:0758

Comment 24 errata-xmlrpc 2023-02-15 15:43:32 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.10

Via RHSA-2023:0697 https://access.redhat.com/errata/RHSA-2023:0697

Comment 25 errata-xmlrpc 2023-02-22 23:59:23 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.9

Via RHSA-2023:0777 https://access.redhat.com/errata/RHSA-2023:0777

Comment 26 errata-xmlrpc 2023-03-01 21:43:48 UTC
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 7

Via RHSA-2023:1043 https://access.redhat.com/errata/RHSA-2023:1043

Comment 27 errata-xmlrpc 2023-03-01 21:46:16 UTC
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 8

Via RHSA-2023:1044 https://access.redhat.com/errata/RHSA-2023:1044

Comment 28 errata-xmlrpc 2023-03-01 21:48:44 UTC
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 9

Via RHSA-2023:1045 https://access.redhat.com/errata/RHSA-2023:1045

Comment 29 errata-xmlrpc 2023-03-01 21:51:29 UTC
This issue has been addressed in the following products:

  RHEL-8 based Middleware Containers

Via RHSA-2023:1047 https://access.redhat.com/errata/RHSA-2023:1047

Comment 30 errata-xmlrpc 2023-03-01 21:59:44 UTC
This issue has been addressed in the following products:

  Red Hat Single Sign-On

Via RHSA-2023:1049 https://access.redhat.com/errata/RHSA-2023:1049

Comment 32 errata-xmlrpc 2023-03-08 14:55:12 UTC
This issue has been addressed in the following products:

  Red Hat build of Quarkus 2.7.7

Via RHSA-2023:1006 https://access.redhat.com/errata/RHSA-2023:1006

Comment 33 errata-xmlrpc 2023-03-29 11:40:51 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9

Via RHSA-2023:1514 https://access.redhat.com/errata/RHSA-2023:1514

Comment 34 errata-xmlrpc 2023-03-29 11:42:17 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8

Via RHSA-2023:1513 https://access.redhat.com/errata/RHSA-2023:1513

Comment 35 errata-xmlrpc 2023-03-29 11:44:02 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7

Via RHSA-2023:1512 https://access.redhat.com/errata/RHSA-2023:1512

Comment 36 errata-xmlrpc 2023-03-29 11:45:52 UTC
This issue has been addressed in the following products:

  EAP 7.4.10 release

Via RHSA-2023:1516 https://access.redhat.com/errata/RHSA-2023:1516

Comment 38 errata-xmlrpc 2023-05-03 13:20:04 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 6.13 for RHEL 8

Via RHSA-2023:2097 https://access.redhat.com/errata/RHSA-2023:2097

Comment 44 errata-xmlrpc 2023-05-17 17:51:02 UTC
This issue has been addressed in the following products:

  OpenShift Developer Tools and Services for OCP 4.11

Via RHSA-2023:3198 https://access.redhat.com/errata/RHSA-2023:3198

Comment 47 errata-xmlrpc 2023-08-16 10:56:05 UTC
This issue has been addressed in the following products:

  Red Hat support for Spring Boot 2.7.13

Via RHSA-2023:4612 https://access.redhat.com/errata/RHSA-2023:4612

Comment 49 errata-xmlrpc 2023-09-14 09:52:07 UTC
This issue has been addressed in the following products:

  Red Hat AMQ Streams 2.5.0

Via RHSA-2023:5165 https://access.redhat.com/errata/RHSA-2023:5165

Comment 52 errata-xmlrpc 2023-12-07 13:42:03 UTC
This issue has been addressed in the following products:

  AMQ Clients 3.y for RHEL 8
  AMQ Clients 3.y for RHEL 9

Via RHSA-2023:7697 https://access.redhat.com/errata/RHSA-2023:7697

Comment 57 errata-xmlrpc 2024-01-22 18:09:44 UTC
This issue has been addressed in the following products:

  RHEL-7 based Middleware Containers

Via RHSA-2024:0325 https://access.redhat.com/errata/RHSA-2024:0325

Comment 59 errata-xmlrpc 2024-02-12 10:43:37 UTC
This issue has been addressed in the following products:

  OpenShift Developer Tools and Services for OCP 4.11

Via RHSA-2024:0775 https://access.redhat.com/errata/RHSA-2024:0775

Comment 63 errata-xmlrpc 2024-03-18 09:48:00 UTC
This issue has been addressed in the following products:

  RHPAM 7.13.5 async

Via RHSA-2024:1353 https://access.redhat.com/errata/RHSA-2024:1353

Comment 66 Nick Tait 2024-03-30 22:23:34 UTC
Created snakeyaml tracking bugs for this issue:

Affects: epel-all [bug 2272329]
Affects: fedora-all [bug 2272330]


Created texlive-base tracking bugs for this issue:

Affects: fedora-all [bug 2272331]


Note You need to log in before you can comment on or make changes to this bug.