Skip to content

Latest commit

 

History

History
16 lines (8 loc) · 2.26 KB

CVE-2022-21404.md

File metadata and controls

16 lines (8 loc) · 2.26 KB

Oracle Helidon (https://github.com/oracle/helidon/) is a set of Java Libraries for writing microservices as Java SE programs. Helidon supports two programming models: Helidon MP: MicroProfile 3.2 and Helidon SE: a small, functional style API. Applications using Oracle Helidon versions 0.9.x, 0.10.x, 0.11.x, 1.0.x, 1.1.x, 1.2.x, 1.3.x, 1.4.x, 2.0.0-M1, 2.0.0-M2, 2.0.0-M3, 2.0.0-M4 and 2.0.0-RC1 are affected by a remote code execution vulnerability caused by insecure YAML deserialization when using the class UrlConfigSource for loading configuration files remotely.

The class YamlConfigParser (https://github.com/oracle/helidon/blob/2.0.0-RC1/config/yaml/src/main/java/io/helidon/config/yaml/YamlConfigParser.java) uses the library SnakeYAML insecurely by loading the Yaml() constructor then yaml.loadAs() without the class org.yaml.snakeyaml.constructor.SafeConstructor. Developers believe incorrectly that a safe constructor was used implicitly when using java.util.Map as a type, as suggested in this PR (helidon-io/helidon#2019) introduced to remove the "false positive" alert from lgtm.com. No security advisory or fix was published for the affected versions for this reason.

Since obtaining Remote Code Execution is possible even when mapping to the class Map, Java applications using Oracle Helidon versions 0.9.x, 0.10.x, 0.11.x, 1.0.x, 1.1.x, 1.2.x, 1.3.x, 1.4.x, 2.0.0-M1, 2.0.0-M2, 2.0.0-M3, 2.0.0-M4 and 2.0.0-RC1 are still affected and exposed for exploitation.

There are two code paths reachable for exploitation:

#1 - ConfigParser.Content genericContent(URLConnection urlConnection) in /config/config/src/main/java/io/helidon/config/UrlConfigSource.java:120 -> yaml.loadAs(ConfigHelper.createReader((Readable) readable), Map.class) in /config/config/src/main/java/io/helidon/config/yaml/internal/YamlConfigParser.java:84

#2 - ConfigParser.Content httpContent(HttpURLConnection connection) in /config/config/src/main/java/io/helidon/config/UrlConfigSource.java:139 -> yaml.loadAs(ConfigHelper.createReader((Readable) readable), Map.class) in /config/config/src/main/java/io/helidon/config/yaml/internal/YamlConfigParser.java:84

PoC {1} A CodeQL query has been provided to identify calls to the affected functions in Oracle Helidon applications.