CVE-2016-8744: Apache Brooklyn, SnakeYAML configuration potentially allows remote code execution
The Apache Software Foundation
Apache Brooklyn 0.9.0 and all prior versions
Apache Brooklyn uses the SnakeYAML library for parsing YAML inputs. SnakeYAML allows the use of YAML tags to indicate that SnakeYAML should unmarshal data to a Java type. In the default configuration, SnakeYAML will allow unmarshalling to any Java type available on the classpath. This could provide an authenticated user with a means to cause the JVM running Brooklyn to load and run Java code without detection by Brooklyn. Such code would have the privileges of the Java process running Brooklyn, including the ability to open files and network connections, and execute system commands. There is known to be a proof-of-concept exploit using this vulnerability.
Upgrade to Apache Brooklyn 0.10.0. This changes the SnakeYAML configuration to limit unmarshalling to a white list of safe, basic, Java types. This change blocks YAML document inputs that use unsafe Java types.
Temporary mitigation if you cannot upgrade to 0.10.0
Ensure your Apache Brooklyn instance is properly secured so that untrusted users cannot access Brooklyn’s API. User authentication should be configured with strong passwords, and access limited to known trusted individuals. Configure SSL/TLS. Installations of Apache Brooklyn should not be exposed to the Internet without considering the security implications. (This is general good practice for Apache Brooklyn installations.)
Consider this fragment of YAML:
!!java.util.Date date: 25 month: 12 year: 2016
If embedded into a YAML document and given to Apache Brooklyn’s API endpoint for new applications, it would cause SnakeYAML to instantiate java.util.Date and call setter methods on the instance. Although the Date type in this example is relatively benign, Date could be replaced by any other class available on Brooklyn’s classpath, which include classes that pose a security risk.
This issue was discovered by Moritz Bechler of AgNO3 GmbH & Co. KG.