Apache Commons Configuration uses a third-party library to parse YAML files which by default allows the instantiation of classes if the YAML includes special statements. Apache Commons Configuration versions 2.2, 2.3, 2.4, 2.5, 2.6 did not change the default settings of this library. So if a YAML file was loaded from an untrusted source, it could therefore load and execute code out of the control of the host application. References: https://lists.apache.org/thread.html/d0e00f2e147a9e9b13a6829133092f349b2882bf6860397368a52600@%3Cannounce.tomcat.apache.org%3E https://lists.apache.org/thread.html/rde2186ad6ac0d6ed8d51af7509244adcf1ce0f9a3b7e1d1dd3b64676@%3Ccommits.camel.apache.org%3E
Created apache-commons-configuration tracking bugs for this issue: Affects: fedora-all [bug 1815213] Created apache-commons-configuration2 tracking bugs for this issue: Affects: fedora-all [bug 1815214]
This vulnerability is out of security support scope for the following products: * Fuse Service Works * SOA Platform 5 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Statement: Several packages are unaffected because they do not include support for YAML configurations: * `apache-commons-configuration` as shipped with Red Hat Enterprise Linux 7 * `apache-commons-configuration` as shipped with Red Hat Enterprise Virtualization * `rh-maven35-apache-commons-configuration` as shipped with Red Hat Software Collections * `commons-configuration` as shipped with Red Hat Gluster Storage
Upstream fix: https://github.com/apache/commons-configuration/commit/add7375cf37fd316d4838c6c56b054fc293b4641
External References: https://lists.apache.org/thread.html/rde2186ad6ac0d6ed8d51af7509244adcf1ce0f9a3b7e1d1dd3b64676@%3Ccommits.camel.apache.org%3E https://github.com/apache/commons-configuration/commit/add7375cf37fd316d4838c6c56b054fc293b4641
This issue has been addressed in the following products: Red Hat AMQ Via RHSA-2020:2751 https://access.redhat.com/errata/RHSA-2020:2751
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-1953
Mitigation: There is currently no mitigation available for this vulnerability.
This issue has been addressed in the following products: Red Hat AMQ Via RHSA-2020:3133 https://access.redhat.com/errata/RHSA-2020:3133
This issue has been addressed in the following products: Red Hat Fuse 7.7.0 Via RHSA-2020:3192 https://access.redhat.com/errata/RHSA-2020:3192