Bug 2150009 (CVE-2022-1471) - CVE-2022-1471 SnakeYaml: Constructor Deserialization Remote Code Execution
Summary: CVE-2022-1471 SnakeYaml: Constructor Deserialization Remote Code Execution
Keywords:
Status: NEW
Alias: CVE-2022-1471
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2272329 2272330 2272331 2132658 2150037 2150038 2150039 2150040 2150041 2150042 2150044 2150047 2150048 2150049 2150365 2150366 2150367 2150368 2150369 2150370 2151074 2151075 2151076 2151077 2151078 2151079 2151080 2151081 2159443
Blocks: 2150008
TreeView+ depends on / blocked
 
Reported: 2022-12-01 15:28 UTC by Marco Benatto
Modified: 2024-04-03 03:36 UTC (History)
112 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the SnakeYaml package. This flaw allows an attacker to benefit from remote code execution by sending malicious YAML content and this content being deserialized by the constructor. Deserialization is unsafe and leads to Remote Code Execution (RCE).
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2023:0009 0 None None None 2023-01-02 08:33:50 UTC
Red Hat Product Errata RHBA-2023:0010 0 None None None 2023-01-02 09:06:29 UTC
Red Hat Product Errata RHBA-2023:0036 0 None None None 2023-01-05 14:14:46 UTC
Red Hat Product Errata RHBA-2023:0156 0 None None None 2023-01-12 15:43:37 UTC
Red Hat Product Errata RHBA-2023:1378 0 None None None 2023-03-21 14:41:44 UTC
Red Hat Product Errata RHSA-2022:9032 0 None None None 2022-12-15 12:40:01 UTC
Red Hat Product Errata RHSA-2022:9058 0 None None None 2022-12-15 15:25:42 UTC
Red Hat Product Errata RHSA-2023:0697 0 None None None 2023-02-15 15:43:39 UTC
Red Hat Product Errata RHSA-2023:0758 0 None None None 2023-02-14 12:12:05 UTC
Red Hat Product Errata RHSA-2023:0777 0 None None None 2023-02-22 23:59:28 UTC
Red Hat Product Errata RHSA-2023:1006 0 None None None 2023-03-08 14:55:16 UTC
Red Hat Product Errata RHSA-2023:1043 0 None None None 2023-03-01 21:43:53 UTC
Red Hat Product Errata RHSA-2023:1044 0 None None None 2023-03-01 21:46:22 UTC
Red Hat Product Errata RHSA-2023:1045 0 None None None 2023-03-01 21:48:50 UTC
Red Hat Product Errata RHSA-2023:1047 0 None None None 2023-03-01 21:51:33 UTC
Red Hat Product Errata RHSA-2023:1049 0 None None None 2023-03-01 21:59:49 UTC
Red Hat Product Errata RHSA-2023:1512 0 None None None 2023-03-29 11:44:08 UTC
Red Hat Product Errata RHSA-2023:1513 0 None None None 2023-03-29 11:42:22 UTC
Red Hat Product Errata RHSA-2023:1514 0 None None None 2023-03-29 11:40:55 UTC
Red Hat Product Errata RHSA-2023:1516 0 None None None 2023-03-29 11:45:57 UTC
Red Hat Product Errata RHSA-2023:2097 0 None None None 2023-05-03 13:20:09 UTC
Red Hat Product Errata RHSA-2023:3198 0 None None None 2023-05-17 17:51:07 UTC
Red Hat Product Errata RHSA-2023:4612 0 None None None 2023-08-16 10:56:09 UTC
Red Hat Product Errata RHSA-2023:5165 0 None None None 2023-09-14 09:52:14 UTC
Red Hat Product Errata RHSA-2023:7697 0 None None None 2023-12-07 13:42:09 UTC
Red Hat Product Errata RHSA-2024:0325 0 None None None 2024-01-22 18:09:50 UTC
Red Hat Product Errata RHSA-2024:0775 0 None None None 2024-02-12 10:43:44 UTC
Red Hat Product Errata RHSA-2024:1353 0 None None None 2024-03-18 09:48:07 UTC

Description Marco Benatto 2022-12-01 15:28:10 UTC 
SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization.
Comment 10 errata-xmlrpc 2022-12-15 12:39:57 UTC 
This issue has been addressed in the following products:

  Red Hat build of Eclipse Vert.x 4.3.4

Via RHSA-2022:9032 https://access.redhat.com/errata/RHSA-2022:9032
Comment 11 errata-xmlrpc 2022-12-15 15:25:38 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:9058 https://access.redhat.com/errata/RHSA-2022:9058
Comment 18 ops-paas-redhat-d 2023-01-06 10:22:58 UTC 
Hello, when can we expect to see an update for Rhel 8.6 EUS since the rating is "Important Impact" ?
Comment 19 Nick Boldt 2023-01-10 01:31:07 UTC 
In which version of snakeyaml is the bug, and in which version can we expect the fix? 

Asking be cause the prodsec tools recently generated 12 JIRAs about snakeyaml but there's no information in here about versions. :( 

https://issues.redhat.com/browse/CRW-3658?filter=12405213&jql=project%20%3D%20CRW%20AND%20component%20%3D%20%22productization%3A%20security%20%26%20legal%22%20AND%20labels%20%3D%20SecurityTracking%20AND%20resolution%20is%20EMPTY%20and%20text%20~%20snakeyaml
Comment 23 errata-xmlrpc 2023-02-14 12:12:00 UTC 
This issue has been addressed in the following products:

  Red Hat build of Quarkus

Via RHSA-2023:0758 https://access.redhat.com/errata/RHSA-2023:0758
Comment 24 errata-xmlrpc 2023-02-15 15:43:32 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.10

Via RHSA-2023:0697 https://access.redhat.com/errata/RHSA-2023:0697
Comment 25 errata-xmlrpc 2023-02-22 23:59:23 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.9

Via RHSA-2023:0777 https://access.redhat.com/errata/RHSA-2023:0777
Comment 26 errata-xmlrpc 2023-03-01 21:43:48 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 7

Via RHSA-2023:1043 https://access.redhat.com/errata/RHSA-2023:1043
Comment 27 errata-xmlrpc 2023-03-01 21:46:16 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 8

Via RHSA-2023:1044 https://access.redhat.com/errata/RHSA-2023:1044
Comment 28 errata-xmlrpc 2023-03-01 21:48:44 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 9

Via RHSA-2023:1045 https://access.redhat.com/errata/RHSA-2023:1045
Comment 29 errata-xmlrpc 2023-03-01 21:51:29 UTC 
This issue has been addressed in the following products:

  RHEL-8 based Middleware Containers

Via RHSA-2023:1047 https://access.redhat.com/errata/RHSA-2023:1047
Comment 30 errata-xmlrpc 2023-03-01 21:59:44 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On

Via RHSA-2023:1049 https://access.redhat.com/errata/RHSA-2023:1049
Comment 32 errata-xmlrpc 2023-03-08 14:55:12 UTC 
This issue has been addressed in the following products:

  Red Hat build of Quarkus 2.7.7

Via RHSA-2023:1006 https://access.redhat.com/errata/RHSA-2023:1006
Comment 33 errata-xmlrpc 2023-03-29 11:40:51 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9

Via RHSA-2023:1514 https://access.redhat.com/errata/RHSA-2023:1514
Comment 34 errata-xmlrpc 2023-03-29 11:42:17 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8

Via RHSA-2023:1513 https://access.redhat.com/errata/RHSA-2023:1513
Comment 35 errata-xmlrpc 2023-03-29 11:44:02 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7

Via RHSA-2023:1512 https://access.redhat.com/errata/RHSA-2023:1512
Comment 36 errata-xmlrpc 2023-03-29 11:45:52 UTC 
This issue has been addressed in the following products:

  EAP 7.4.10 release

Via RHSA-2023:1516 https://access.redhat.com/errata/RHSA-2023:1516
Comment 38 errata-xmlrpc 2023-05-03 13:20:04 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 6.13 for RHEL 8

Via RHSA-2023:2097 https://access.redhat.com/errata/RHSA-2023:2097
Comment 44 errata-xmlrpc 2023-05-17 17:51:02 UTC 
This issue has been addressed in the following products:

  OpenShift Developer Tools and Services for OCP 4.11

Via RHSA-2023:3198 https://access.redhat.com/errata/RHSA-2023:3198
Comment 47 errata-xmlrpc 2023-08-16 10:56:05 UTC 
This issue has been addressed in the following products:

  Red Hat support for Spring Boot 2.7.13

Via RHSA-2023:4612 https://access.redhat.com/errata/RHSA-2023:4612
Comment 49 errata-xmlrpc 2023-09-14 09:52:07 UTC 
This issue has been addressed in the following products:

  Red Hat AMQ Streams 2.5.0

Via RHSA-2023:5165 https://access.redhat.com/errata/RHSA-2023:5165
Comment 52 errata-xmlrpc 2023-12-07 13:42:03 UTC 
This issue has been addressed in the following products:

  AMQ Clients 3.y for RHEL 8
  AMQ Clients 3.y for RHEL 9

Via RHSA-2023:7697 https://access.redhat.com/errata/RHSA-2023:7697
Comment 57 errata-xmlrpc 2024-01-22 18:09:44 UTC 
This issue has been addressed in the following products:

  RHEL-7 based Middleware Containers

Via RHSA-2024:0325 https://access.redhat.com/errata/RHSA-2024:0325
Comment 59 errata-xmlrpc 2024-02-12 10:43:37 UTC 
This issue has been addressed in the following products:

  OpenShift Developer Tools and Services for OCP 4.11

Via RHSA-2024:0775 https://access.redhat.com/errata/RHSA-2024:0775
Comment 63 errata-xmlrpc 2024-03-18 09:48:00 UTC 
This issue has been addressed in the following products:

  RHPAM 7.13.5 async

Via RHSA-2024:1353 https://access.redhat.com/errata/RHSA-2024:1353
Comment 66 Nick Tait 2024-03-30 22:23:34 UTC 
Created snakeyaml tracking bugs for this issue:

Affects: epel-all [bug 2272329]
Affects: fedora-all [bug 2272330]


Created texlive-base tracking bugs for this issue:

Affects: fedora-all [bug 2272331]
Note You need to log in before you can comment on or make changes to this bug.