Bug 2126789 (CVE-2022-25857) - CVE-2022-25857 snakeyaml: Denial of Service due to missing nested depth limitation for collections
Summary: CVE-2022-25857 snakeyaml: Denial of Service due to missing nested depth limit...
Keywords:
Status: NEW
Alias: CVE-2022-25857
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2126794 2126841 2132647 2132648 2132649 2132650 2132653 2126792 2126793 2126842 2128144 2128468 2128477
Blocks: 2123794
TreeView+ depends on / blocked
 
Reported: 2022-09-14 12:18 UTC by Patrick Del Bello
Modified: 2022-11-28 14:40 UTC (History)
115 users (show)

Fixed In Version: org.yaml.snakeyaml 1.31
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the org.yaml.snakeyaml package. This flaw allows an attacker to cause a denial of service (DoS) due to missing nested depth limitation for collections.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:6757 0 None None None 2022-10-05 14:50:21 UTC
Red Hat Product Errata RHSA-2022:6820 0 None None None 2022-10-06 07:35:48 UTC
Red Hat Product Errata RHSA-2022:6821 0 None None None 2022-10-05 16:35:10 UTC
Red Hat Product Errata RHSA-2022:6822 0 None None None 2022-10-05 16:39:29 UTC
Red Hat Product Errata RHSA-2022:6823 0 None None None 2022-10-05 16:32:46 UTC
Red Hat Product Errata RHSA-2022:6825 0 None None None 2022-10-05 16:47:10 UTC
Red Hat Product Errata RHSA-2022:6835 0 None None None 2022-10-06 12:28:32 UTC
Red Hat Product Errata RHSA-2022:6941 0 None None None 2022-10-13 11:14:42 UTC
Red Hat Product Errata RHSA-2022:8524 0 None None None 2022-11-17 13:40:26 UTC
Red Hat Product Errata RHSA-2022:8652 0 None None None 2022-11-28 14:40:06 UTC

Description Patrick Del Bello 2022-09-14 12:18:14 UTC
The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.

Comment 1 Patrick Del Bello 2022-09-14 12:37:19 UTC
Created snakeyaml tracking bugs for this issue:

Affects: epel-all [bug 2126792]
Affects: fedora-all [bug 2126793]


Created texlive-base tracking bugs for this issue:

Affects: fedora-all [bug 2126794]

Comment 8 spencer.deehring 2022-09-28 16:04:23 UTC
Version 0.17.1 of prometheus-jmx-exporter was released about 3 weeks ago to fix this CVE in RHEL 8. Can we get an update to this package to patch this CVE?

https://github.com/prometheus/jmx_exporter/issues/734#issuecomment-1242805218

Comment 9 Andrew John Hughes 2022-09-28 16:07:33 UTC
(In reply to spencer.deehring from comment #8)
> Version 0.17.1 of prometheus-jmx-exporter was released about 3 weeks ago to
> fix this CVE in RHEL 8. Can we get an update to this package to patch this
> CVE?
> 
> https://github.com/prometheus/jmx_exporter/issues/734#issuecomment-1242805218

A rebuild with the new snakeyaml is in progress. See bug #2128477

Comment 15 errata-xmlrpc 2022-10-05 14:50:16 UTC
This issue has been addressed in the following products:

  Red Hat build of Eclipse Vert.x 4.3.3

Via RHSA-2022:6757 https://access.redhat.com/errata/RHSA-2022:6757

Comment 16 errata-xmlrpc 2022-10-05 16:32:41 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9

Via RHSA-2022:6823 https://access.redhat.com/errata/RHSA-2022:6823

Comment 17 errata-xmlrpc 2022-10-05 16:35:04 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7

Via RHSA-2022:6821 https://access.redhat.com/errata/RHSA-2022:6821

Comment 18 errata-xmlrpc 2022-10-05 16:39:23 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8

Via RHSA-2022:6822 https://access.redhat.com/errata/RHSA-2022:6822

Comment 19 errata-xmlrpc 2022-10-05 16:47:05 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2022:6825 https://access.redhat.com/errata/RHSA-2022:6825

Comment 20 errata-xmlrpc 2022-10-06 07:35:42 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:6820 https://access.redhat.com/errata/RHSA-2022:6820

Comment 21 Sandipan Roy 2022-10-06 09:44:54 UTC
For RHEL-8 it's downgraded to moderate because "snakeyaml" itself in RHEL 8 or RHEL-9 isn't shipped and "prometheus-jmx-exporter" is needed as build dependency. And it's not directly exploitable, hence severity marked as moderate. 

https://access.redhat.com/security/updates/classification/#moderate

Comment 24 errata-xmlrpc 2022-10-06 12:28:27 UTC
This issue has been addressed in the following products:

  RHINT Service Registry 2.3.0 GA

Via RHSA-2022:6835 https://access.redhat.com/errata/RHSA-2022:6835

Comment 27 errata-xmlrpc 2022-10-13 11:14:37 UTC
This issue has been addressed in the following products:

  Red Hat build of Quarkus Platform 2.7.6.SP1

Via RHSA-2022:6941 https://access.redhat.com/errata/RHSA-2022:6941

Comment 28 spencer.deehring 2022-10-14 18:23:39 UTC
I see that package prometheus-jmx-exporter has been updated in RHEL 8 to 0.12.0-8.el8_6 as per RHSA-2022:6820. However the sub package prometheus-jmx-exporter-openjdk8 has not been updated and still contains this CVE. Are there plans to resolve this?

Comment 29 Severin Gehwolf 2022-10-17 08:48:45 UTC
(In reply to spencer.deehring from comment #28)
> I see that package prometheus-jmx-exporter has been updated in RHEL 8 to
> 0.12.0-8.el8_6 as per RHSA-2022:6820. However the sub package
> prometheus-jmx-exporter-openjdk8 has not been updated and still contains
> this CVE. Are there plans to resolve this?

Sorry about that. This should not have happened. I'll get motions started to get relevant sub-package builds pushed as well. Appropriate root-cause analysis is ongoing why this happened in the first place. Thanks for letting us know!

Comment 31 Severin Gehwolf 2022-10-24 13:13:25 UTC
(In reply to spencer.deehring from comment #28)
> I see that package prometheus-jmx-exporter has been updated in RHEL 8 to
> 0.12.0-8.el8_6 as per RHSA-2022:6820. However the sub package
> prometheus-jmx-exporter-openjdk8 has not been updated and still contains
> this CVE. Are there plans to resolve this?

This should be fixed now:

[root@f3e8264d55a2 /]# dnf install prometheus-jmx-exporter-openjdk8
Updating Subscription Management repositories.
Unable to read consumer identity

This system is not registered with an entitlement server. You can use subscription-manager to register.

Red Hat Universal Base Image 8 (RPMs) - BaseOS                                                                                                                                                                2.2 MB/s | 811 kB     00:00    
Red Hat Universal Base Image 8 (RPMs) - AppStream                                                                                                                                                             6.1 MB/s | 3.0 MB     00:00    
Red Hat Universal Base Image 8 (RPMs) - CodeReady Builder                                                                                                                                                     119 kB/s |  20 kB     00:00    
Dependencies resolved.
==============================================================================================================================================================================================================================================
 Package                                                            Architecture                             Version                                                             Repository                                              Size
==============================================================================================================================================================================================================================================
Installing:
 prometheus-jmx-exporter-openjdk8                                   noarch                                   0.12.0-8.el8_6                                                      ubi-8-appstream-rpms                                   8.3 k
Installing dependencies:
 avahi-libs                                                         x86_64                                   0.7-20.el8                                                          ubi-8-baseos-rpms                                       62 k
 copy-jdk-configs                                                   noarch                                   4.0-2.el8                                                           ubi-8-appstream-rpms                                    31 k
 cups-libs                                                          x86_64                                   1:2.2.6-45.el8_6.2                                                  ubi-8-baseos-rpms                                      435 k
 freetype                                                           x86_64                                   2.9.1-4.el8_3.1                                                     ubi-8-baseos-rpms                                      394 k
 java-1.8.0-openjdk-headless                                        x86_64                                   1:1.8.0.352.b08-2.el8_6                                             ubi-8-appstream-rpms                                    34 M
 javapackages-filesystem                                            noarch                                   5.3.0-1.module+el8+2447+6f56d9a6                                    ubi-8-appstream-rpms                                    30 k
 libjpeg-turbo                                                      x86_64                                   1.5.3-12.el8                                                        ubi-8-appstream-rpms                                   157 k
 libpng                                                             x86_64                                   2:1.6.34-5.el8                                                      ubi-8-baseos-rpms                                      126 k
 lksctp-tools                                                       x86_64                                   1.0.18-3.el8                                                        ubi-8-baseos-rpms                                      100 k
 lua                                                                x86_64                                   5.3.4-12.el8                                                        ubi-8-appstream-rpms                                   192 k
 nspr                                                               x86_64                                   4.34.0-3.el8_6                                                      ubi-8-appstream-rpms                                   143 k
 nss                                                                x86_64                                   3.79.0-10.el8_6                                                     ubi-8-appstream-rpms                                   747 k
 nss-softokn                                                        x86_64                                   3.79.0-10.el8_6                                                     ubi-8-appstream-rpms                                   1.2 M
 nss-softokn-freebl                                                 x86_64                                   3.79.0-10.el8_6                                                     ubi-8-appstream-rpms                                   398 k
 nss-sysinit                                                        x86_64                                   3.79.0-10.el8_6                                                     ubi-8-appstream-rpms                                    75 k
 nss-util                                                           x86_64                                   3.79.0-10.el8_6                                                     ubi-8-appstream-rpms                                   139 k
 prometheus-jmx-exporter                                            noarch                                   0.12.0-8.el8_6                                                      ubi-8-appstream-rpms                                   486 k
 tzdata-java                                                        noarch                                   2022e-1.el8                                                         ubi-8-appstream-rpms                                   186 k
Enabling module streams:
 javapackages-runtime                                                                                        201801                                                                                                                          

Transaction Summary
==============================================================================================================================================================================================================================================
Install  19 Packages

Total download size: 39 M
Installed size: 129 M
Is this ok [y/N]: n

Comment 35 errata-xmlrpc 2022-11-17 13:40:21 UTC
This issue has been addressed in the following products:

  Red Hat Data Grid 8.4.0

Via RHSA-2022:8524 https://access.redhat.com/errata/RHSA-2022:8524

Comment 37 errata-xmlrpc 2022-11-28 14:40:02 UTC
This issue has been addressed in the following products:

  Red Hat Fuse 7.11.1

Via RHSA-2022:8652 https://access.redhat.com/errata/RHSA-2022:8652


Note You need to log in before you can comment on or make changes to this bug.