Does RockyLinux 8.10 contain PyYaml critical vulnerability?

Hi,

I’ve installed Rocky Linux 8.10 from DVD iso and then updated it. Then I made a SBOM and analyzed it with Snyk. Snyk complained about critical vulnerability (9.8 score) in PyYaml package v 3.12 Arbitrary Code Execution in pyyaml | CVE-2017-18342 | Snyk

By manual investigation I can confirm that this package is indeed installed.

$ cat /etc/os-release 
NAME="Rocky Linux"
VERSION="8.10 (Green Obsidian)"
$ dnf check-update 
Last metadata expiration check: 0:17:03 ago on Mon 14 Oct 2024 10:27:49 AM EDT.
$ dnf list installed | grep yaml
libyaml.x86_64                                     0.1.7-5.el8                                                 @anaconda    
python3-pyyaml.x86_64                              3.12-12.el8                                                 @anaconda
$ pip3 list | grep PyYAML
PyYAML (3.12)

Simpy uninstall this package is not an option, since it is required by quite a lot of other packages.

$ dnf repoquery --whatrequires python3-pyyaml.x86_64
Last metadata expiration check: 0:25:39 ago on Mon 14 Oct 2024 10:27:49 AM EDT.
cloud-init-0:23.4-7.el8_10.0.1.noarch
cloud-init-0:23.4-7.el8_10.3.0.1.noarch
cloud-init-0:23.4-7.el8_10.7.0.1.noarch
cloud-init-0:23.4-7.el8_10.8.0.1.noarch
modulemd-tools-0:0.7-8.el8.noarch
nfs-utils-1:2.3.3-59.el8.x86_64
python3-libnmstate-0:1.4.5-2.el8_9.noarch
python3-libnmstate-0:1.4.6-2.el8_10.noarch
python3-libnmstate-0:1.4.6-4.el8_10.noarch
python3-networkx-core-0:1.11-16.1.el8.noarch
python3-pywbem-0:0.11.0-8.el8.noarch
tpm2-pkcs11-tools-0:1.6.0-1.el8.x86_64
vdo-0:6.2.9.7-14.el8.x86_64
virt-who-0:1.30.16-1.el8.noarch

Should I be concerned about this vulnerability report, or do I misinterpret something?

The reason it isn’t fixed here is because yaml.load() is the problem with that module. The module comes with yaml.safe_load() which is the proper way to use it. While it’s fair that scanners are treating it as a vulnerability, the assumption that most have taken is “newer version fixes this” when all the newer versions really did was deprecate the usage of yaml.load().

I wouldn’t be concerned about this vulnerability. Almost all components of the distribution that uses pyyaml in some form will be using the “safe” form of loader.

It may be worth notifying the vendor (if you have a support contract with them) of this bugzilla.

1 Like

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.