[MCO-794] Enable yaml safe_load as the default for MCO - Puppet Tickets

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Critical
Resolution: Fixed
Affects Version/s: MCO 2.10.2
Fix Version/s: MCO 2.10.4
Component/s: None
Labels:
- docs_reviewed
- security

Acceptance Criteria:

Hide

Reject any message contents that are not basic data types or symbols. This will impact anyone not careful about data serialization in their plugins if they're using YAML serialization with the ssl or aes connector plugins.

Show
Reject any message contents that are not basic data types or symbols. This will impact anyone not careful about data serialization in their plugins if they're using YAML serialization with the ssl or aes connector plugins.
Epic Link:
2017 Security Fixes
Team:
Dumpling
Story Points:
2
CVE-ID:
CVE-2017-2292
Sprint:
FF 2017-04-05, FF 2017-04-19, FF 2017-05-03

Release Notes:
Bug Fix
Release Notes Summary:
The aes and ssl security plugins now use YAML.safe_load to deserialize messages. This avoids potential attack vectors from deserializing YAML into classes. Those plugins now require Ruby 2.1+ to use yaml deserialization.

QA Risk Assessment:
No Action

Description

Update YAML serialization in the ssl and aes security plugins to use YAML.safe_load, allowing Symbol serialization. Add sufficient acceptance testing to feel confident in this change.

YAML.safe_load is only supported in Ruby 2.1+. In older Ruby (which are all EOL) report that YAML serialization is no longer supported. Users can use Marshal instead if they don't care about security.

Attachments

Activity

People

Assignee:: John Duarte

Reporter:: Rob Braden

Votes:: 0 Vote for this issue

Watchers:: 7 Start watching this issue

Dates

Created:: 2017/03/27 2:03 PM

Updated:: 2017/05/11 7:10 AM

Resolved:: 2017/04/25 8:40 AM