{ "threat_severity" : "Important", "public_date" : "2022-10-13T00:00:00Z", "bugzilla" : { "description" : "SnakeYaml: Constructor Deserialization Remote Code Execution", "id" : "2150009", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2150009" }, "cvss3" : { "cvss3_base_score" : "9.8", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status" : "verified" }, "cwe" : "CWE-502", "details" : [ "SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.", "A flaw was found in the SnakeYaml package. This flaw allows an attacker to benefit from remote code execution by sending malicious YAML content and this content being deserialized by the constructor. Deserialization is unsafe and leads to Remote Code Execution (RCE)." ], "statement" : "In the Red Hat Process Automation 7 (RHPAM) the untrusted, malicious YAML file for deserialization by the vulnerable Snakeyaml's SafeConstructor class must be provided intentionally by the RHPAM user which requires high privileges. The potential attack complexity is also high because it depends on conditions that are beyond the attacker's control. Due to that the impact for RHPAM is reduced to Low.\nRed Hat Fuse 7 does not expose by default any endpoint that passes incoming data/request into vulnerable Snakeyaml's Constructor class nor pass untrusted data to this class. When this class is used, it’s still only used to parse internal configuration, hence the impact by this vulnerability to Red Hat Fuse 7 is reduced to Moderate.", "affected_release" : [ { "product_name" : "OpenShift Developer Tools and Services for OCP 4.11", "release_date" : "2023-05-17T00:00:00Z", "advisory" : "RHSA-2023:3198", "cpe" : "cpe:/a:redhat:ocp_tools:4.11::el8", "package" : "jenkins-2-plugins-0:4.11.1683009941-1.el8" }, { "product_name" : "OpenShift Developer Tools and Services for OCP 4.11", "release_date" : "2023-10-30T00:00:00Z", "advisory" : "RHSA-2023:6171", "cpe" : "cpe:/a:redhat:ocp_tools:4.11::el8", "package" : "jenkins-2-plugins-0:4.11.1698299029-1.el8" }, { "product_name" : "OpenShift Developer Tools and Services for OCP 4.11", "release_date" : "2024-02-12T00:00:00Z", "advisory" : "RHSA-2024:0775", "cpe" : "cpe:/a:redhat:ocp_tools:4.11::el8", "package" : "jenkins-2-plugins-0:4.11.1706516946-1.el8" }, { "product_name" : "Red Hat AMQ Clients", "release_date" : "2023-12-07T00:00:00Z", "advisory" : "RHSA-2023:7697", "cpe" : "cpe:/a:redhat:amq_clients:2023_q4", "package" : "snakeyaml" }, { "product_name" : "Red Hat AMQ Streams 2.5.0", "release_date" : "2023-09-14T00:00:00Z", "advisory" : "RHSA-2023:5165", "cpe" : "cpe:/a:redhat:amq_streams:2" }, { "product_name" : "Red Hat build of Eclipse Vert.x 4.3.4", "release_date" : "2022-12-15T00:00:00Z", "advisory" : "RHSA-2022:9032", "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0", "package" : "snakeyaml" }, { "product_name" : "Red Hat build of Quarkus", "release_date" : "2023-02-14T00:00:00Z", "advisory" : "RHSA-2023:0758", "cpe" : "cpe:/a:redhat:quarkus:2.13" }, { "product_name" : "Red Hat build of Quarkus 2.7.7", "release_date" : "2023-03-08T00:00:00Z", "advisory" : "RHSA-2023:1006", "cpe" : "cpe:/a:redhat:quarkus:2.7", "package" : "snakeyaml", "impact" : "moderate" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2022-12-15T00:00:00Z", "advisory" : "RHSA-2022:9058", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "prometheus-jmx-exporter-0:0.12.0-9.el8_7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7", "release_date" : "2023-03-29T00:00:00Z", "advisory" : "RHSA-2023:1516", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.4", "package" : "snakeyaml", "impact" : "moderate" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", "release_date" : "2025-02-24T00:00:00Z", "advisory" : "RHSA-2025:1746", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", "package" : "eap7-resteasy-0:3.0.27-1.Final_redhat_00001.1.ep7.el7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7", "release_date" : "2025-02-24T00:00:00Z", "advisory" : "RHSA-2025:1746", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.1::el7", "package" : "eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.ep7.el7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date" : "2025-02-24T00:00:00Z", "advisory" : "RHSA-2025:1747", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package" : "eap7-jackson-modules-java8-0:2.10.4-2.redhat_00004.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date" : "2025-02-24T00:00:00Z", "advisory" : "RHSA-2025:1747", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package" : "eap7-resteasy-0:3.11.6-1.Final_redhat_00001.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7", "release_date" : "2025-02-24T00:00:00Z", "advisory" : "RHSA-2025:1747", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform_eus:7.3::el7", "package" : "eap7-snakeyaml-0:1.33.0-1.SP1_redhat_00001.1.el7eap" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "release_date" : "2023-03-29T00:00:00Z", "advisory" : "RHSA-2023:1513", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package" : "eap7-snakeyaml-0:1.33.0-2.SP1_redhat_00001.1.el8eap", "impact" : "moderate" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "release_date" : "2023-03-29T00:00:00Z", "advisory" : "RHSA-2023:1514", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package" : "eap7-snakeyaml-0:1.33.0-2.SP1_redhat_00001.1.el9eap", "impact" : "moderate" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", "release_date" : "2023-03-29T00:00:00Z", "advisory" : "RHSA-2023:1512", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package" : "eap7-snakeyaml-0:1.33.0-2.SP1_redhat_00001.1.el7eap", "impact" : "moderate" }, { "product_name" : "Red Hat OpenShift Container Platform 4.10", "release_date" : "2023-02-15T00:00:00Z", "advisory" : "RHSA-2023:0697", "cpe" : "cpe:/a:redhat:openshift:4.10::el8", "package" : "jenkins-2-plugins-0:4.10.1675407676-1.el8" }, { "product_name" : "Red Hat OpenShift Container Platform 4.9", "release_date" : "2023-02-23T00:00:00Z", "advisory" : "RHSA-2023:0777", "cpe" : "cpe:/a:redhat:openshift:4.9::el8", "package" : "jenkins-2-plugins-0:4.9.1675668922-1.el8" }, { "product_name" : "Red Hat Satellite 6.13 for RHEL 8", "release_date" : "2023-05-03T00:00:00Z", "advisory" : "RHSA-2023:2097", "cpe" : "cpe:/a:redhat:satellite:6.13::el8", "package" : "candlepin-0:4.2.13-1.el8sat", "impact" : "moderate" }, { "product_name" : "Red Hat Single Sign-On 7", "release_date" : "2023-03-01T00:00:00Z", "advisory" : "RHSA-2023:1049", "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7.6", "package" : "snakeyaml" }, { "product_name" : "Red Hat Single Sign-On 7.6 for RHEL 7", "release_date" : "2023-03-01T00:00:00Z", "advisory" : "RHSA-2023:1043", "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7.6::el7", "package" : "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso" }, { "product_name" : "Red Hat Single Sign-On 7.6 for RHEL 8", "release_date" : "2023-03-01T00:00:00Z", "advisory" : "RHSA-2023:1044", "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7.6::el8", "package" : "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso" }, { "product_name" : "Red Hat Single Sign-On 7.6 for RHEL 9", "release_date" : "2023-03-01T00:00:00Z", "advisory" : "RHSA-2023:1045", "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7.6::el9", "package" : "rh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso" }, { "product_name" : "Red Hat support for Spring Boot 2.7.13", "release_date" : "2023-08-16T00:00:00Z", "advisory" : "RHSA-2023:4612", "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0", "package" : "snakeyaml" }, { "product_name" : "RHEL-7 based Middleware Containers", "release_date" : "2024-01-22T00:00:00Z", "advisory" : "RHSA-2024:0325", "cpe" : "cpe:/a:redhat:rhosemc:1.0::el7", "package" : "openjdk/openjdk-11-rhel7:1.17-1" }, { "product_name" : "RHEL-7 based Middleware Containers", "release_date" : "2024-01-22T00:00:00Z", "advisory" : "RHSA-2024:0325", "cpe" : "cpe:/a:redhat:rhosemc:1.0::el7", "package" : "redhat-openjdk-18/openjdk18-openshift:1.17-1" }, { "product_name" : "RHEL-8 based Middleware Containers", "release_date" : "2023-01-04T00:00:00Z", "advisory" : "RHBA-2023:0030", "cpe" : "cpe:/a:redhat:rhosemc:1.0::el8", "package" : "ubi8/openjdk-11:1.14-11" }, { "product_name" : "RHEL-8 based Middleware Containers", "release_date" : "2023-01-04T00:00:00Z", "advisory" : "RHBA-2023:0030", "cpe" : "cpe:/a:redhat:rhosemc:1.0::el8", "package" : "ubi8/openjdk-11-runtime:1.14-11" }, { "product_name" : "RHEL-8 based Middleware Containers", "release_date" : "2023-01-04T00:00:00Z", "advisory" : "RHBA-2023:0030", "cpe" : "cpe:/a:redhat:rhosemc:1.0::el8", "package" : "ubi8/openjdk-17:1.14-9" }, { "product_name" : "RHEL-8 based Middleware Containers", "release_date" : "2023-01-04T00:00:00Z", "advisory" : "RHBA-2023:0030", "cpe" : "cpe:/a:redhat:rhosemc:1.0::el8", "package" : "ubi8/openjdk-17-runtime:1.14-8" }, { "product_name" : "RHEL-8 based Middleware Containers", "release_date" : "2023-01-04T00:00:00Z", "advisory" : "RHBA-2023:0030", "cpe" : "cpe:/a:redhat:rhosemc:1.0::el8", "package" : "ubi8/openjdk-8:1.14-12" }, { "product_name" : "RHEL-8 based Middleware Containers", "release_date" : "2023-01-04T00:00:00Z", "advisory" : "RHBA-2023:0030", "cpe" : "cpe:/a:redhat:rhosemc:1.0::el8", "package" : "ubi8/openjdk-8-runtime:1.14-10" }, { "product_name" : "RHEL-8 based Middleware Containers", "release_date" : "2023-03-01T00:00:00Z", "advisory" : "RHSA-2023:1047", "cpe" : "cpe:/a:redhat:rhosemc:1.0::el8", "package" : "rh-sso-7/sso76-openshift-rhel8:7.6-20" }, { "product_name" : "RHPAM 7.13.5 async", "release_date" : "2024-03-18T00:00:00Z", "advisory" : "RHSA-2024:1353", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13", "package" : "snakeyaml", "impact" : "low" } ], "package_state" : [ { "product_name" : "A-MQ Clients 2", "fix_state" : "Affected", "package_name" : "snakeyaml", "cpe" : "cpe:/a:redhat:a_mq_clients:2", "impact" : "low" }, { "product_name" : "Logging Subsystem for Red Hat OpenShift", "fix_state" : "Not affected", "package_name" : "openshift-logging/elasticsearch6-rhel8", "cpe" : "cpe:/a:redhat:logging:5" }, { "product_name" : "Red Hat AMQ Broker 7", "fix_state" : "Not affected", "package_name" : "snakeyaml", "cpe" : "cpe:/a:redhat:amq_broker:7" }, { "product_name" : "Red Hat A-MQ Online", "fix_state" : "Not affected", "package_name" : "snakeyaml", "cpe" : "cpe:/a:redhat:amq_online:1" }, { "product_name" : "Red Hat build of Apache Camel for Spring Boot 3", "fix_state" : "Affected", "package_name" : "snakeyaml", "cpe" : "cpe:/a:redhat:camel_spring_boot:3", "impact" : "moderate" }, { "product_name" : "Red Hat build of Apicurio Registry 2", "fix_state" : "Not affected", "package_name" : "snakeyaml", "cpe" : "cpe:/a:redhat:service_registry:2" }, { "product_name" : "Red Hat build of Debezium 1", "fix_state" : "Not affected", "package_name" : "snakeyaml", "cpe" : "cpe:/a:redhat:integration:1" }, { "product_name" : "Red Hat build of OpenJDK 11", "fix_state" : "Not affected", "package_name" : "snakeyaml", "cpe" : "cpe:/a:redhat:openjdk:11" }, { "product_name" : "Red Hat Data Grid 8", "fix_state" : "Will not fix", "package_name" : "snakeyaml", "cpe" : "cpe:/a:redhat:jboss_data_grid:8" }, { "product_name" : "Red Hat Decision Manager 7", "fix_state" : "Affected", "package_name" : "snakeyaml", "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Will not fix", "package_name" : "snakeyaml", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Fuse 7", "fix_state" : "Will not fix", "package_name" : "snakeyaml", "cpe" : "cpe:/a:redhat:jboss_fuse:7", "impact" : "moderate" }, { "product_name" : "Red Hat Integration Camel K 1", "fix_state" : "Will not fix", "package_name" : "snakeyaml", "cpe" : "cpe:/a:redhat:integration:1", "impact" : "moderate" }, { "product_name" : "Red Hat Integration Camel Quarkus 1", "fix_state" : "Will not fix", "package_name" : "snakeyaml", "cpe" : "cpe:/a:redhat:camel_quarkus:2", "impact" : "moderate" }, { "product_name" : "Red Hat Integration Service Registry", "fix_state" : "Out of support scope", "package_name" : "snakeyaml", "cpe" : "cpe:/a:redhat:integration:1" }, { "product_name" : "Red Hat JBoss Data Grid 7", "fix_state" : "Out of support scope", "package_name" : "snakeyaml", "cpe" : "cpe:/a:redhat:jboss_data_grid:7" }, { "product_name" : "Red Hat JBoss Data Virtualization 6", "fix_state" : "Out of support scope", "package_name" : "snakeyaml", "cpe" : "cpe:/a:redhat:jboss_data_virtualization:6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6", "fix_state" : "Out of support scope", "package_name" : "eap6-snakeyaml", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6", "fix_state" : "Out of support scope", "package_name" : "snakeyaml", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8", "fix_state" : "Not affected", "package_name" : "snakeyaml", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Not affected", "package_name" : "snakeyaml", "cpe" : "cpe:/a:redhat:jbosseapxp" }, { "product_name" : "Red Hat JBoss Fuse 6", "fix_state" : "Out of support scope", "package_name" : "snakeyaml", "cpe" : "cpe:/a:redhat:jboss_fuse:6" }, { "product_name" : "Red Hat JBoss Fuse Service Works 6", "fix_state" : "Out of support scope", "package_name" : "snakeyaml", "cpe" : "cpe:/a:redhat:jboss_fuse_service_works:6" }, { "product_name" : "Red Hat OpenShift Application Runtimes", "fix_state" : "Affected", "package_name" : "snakeyaml", "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "fix_state" : "Affected", "package_name" : "jenkins-2-plugins", "cpe" : "cpe:/a:redhat:openshift:3.11" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "fix_state" : "Affected", "package_name" : "openshift3/metrics-cassandra", "cpe" : "cpe:/a:redhat:openshift:3.11" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "fix_state" : "Affected", "package_name" : "openshift3/metrics-hawkular-metrics", "cpe" : "cpe:/a:redhat:openshift:3.11" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "fix_state" : "Affected", "package_name" : "openshift3/ose-metrics-cassandra", "cpe" : "cpe:/a:redhat:openshift:3.11" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "fix_state" : "Affected", "package_name" : "openshift3/ose-metrics-hawkular-metrics", "cpe" : "cpe:/a:redhat:openshift:3.11" }, { "product_name" : "Red Hat OpenShift Dev Spaces", "fix_state" : "Affected", "package_name" : "devspaces/idea-rhel8", "cpe" : "cpe:/a:redhat:openshift_devspaces:3" }, { "product_name" : "Red Hat OpenShift Dev Spaces", "fix_state" : "Affected", "package_name" : "devspaces/udi-rhel8", "cpe" : "cpe:/a:redhat:openshift_devspaces:3" }, { "product_name" : "Red Hat Satellite 6", "fix_state" : "Affected", "package_name" : "puppetserver", "cpe" : "cpe:/a:redhat:satellite:6", "impact" : "moderate" }, { "product_name" : "streams for Apache Kafka", "fix_state" : "Affected", "package_name" : "snakeyaml", "cpe" : "cpe:/a:redhat:amq_streams:1", "impact" : "moderate" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-1471\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-1471\nhttps://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2" ], "name" : "CVE-2022-1471", "csaw" : false }