Description
Oracle Helidon (https://github.com/oracle/helidon/) is a set of Java Libraries for writing microservices as Java SE programs. Helidon supports two programming models: Helidon MP: MicroProfile 3.2 and Helidon SE: a small, functional style API. Applications using Oracle Helidon versions 0.9.x, 0.10.x, 0.11.x, 1.0.x, 1.1.x, 1.2.x, 1.3.x, 1.4.x, 2.0.0-M1, 2.0.0-M2, 2.0.0-M3, 2.0.0-M4 and 2.0.0-RC1 are affected by a remote code execution vulnerability caused by insecure YAML deserialization when using the class UrlConfigSource for loading configuration files remotely.
RCA
The class YamlConfigParser (https://github.com/oracle/helidon/blob/2.0.0-RC1/config/yaml/src/main/java/io/helidon/config/yaml/YamlConfigParser.java) uses the library SnakeYAML insecurely by loading the Yaml() constructor then yaml.loadAs() without the class org.yaml.snakeyaml.constructor.SafeConstructor. Developers believe incorrectly that a safe constructor was used implicitly when using java.util.Map as a type, as suggested in this PR (helidon-io/helidon#2019) introduced to remove the "false positive" alert from lgtm.com. No security advisory or fix was published for the affected versions for this reason.
Since obtaining Remote Code Execution is possible even when mapping to the class Map, Java applications using Oracle Helidon versions 0.9.x, 0.10.x, 0.11.x, 1.0.x, 1.1.x, 1.2.x, 1.3.x, 1.4.x, 2.0.0-M1, 2.0.0-M2, 2.0.0-M3, 2.0.0-M4 and 2.0.0-RC1 are still affected and exposed for exploitation.
There are two code paths reachable for exploitation:
#1 - ConfigParser.Content<Instant> genericContent(URLConnection urlConnection) in /config/config/src/main/java/io/helidon/config/UrlConfigSource.java:120 -> yaml.loadAs(ConfigHelper.createReader((Readable) readable), Map.class) in /config/config/src/main/java/io/helidon/config/yaml/internal/YamlConfigParser.java:84
#2 - ConfigParser.Content<Instant> httpContent(HttpURLConnection connection) in /config/config/src/main/java/io/helidon/config/UrlConfigSource.java:139 -> yaml.loadAs(ConfigHelper.createReader((Readable) readable), Map.class) in /config/config/src/main/java/io/helidon/config/yaml/internal/YamlConfigParser.java:84
PoC
- Exploit Demo
- A CodeQL query has been provided to identify calls to the affected functions in Oracle Helidon applications.
Additional resources
Description
Oracle Helidon (https://github.com/oracle/helidon/) is a set of Java Libraries for writing microservices as Java SE programs. Helidon supports two programming models: Helidon MP: MicroProfile 3.2 and Helidon SE: a small, functional style API. Applications using Oracle Helidon versions 0.9.x, 0.10.x, 0.11.x, 1.0.x, 1.1.x, 1.2.x, 1.3.x, 1.4.x, 2.0.0-M1, 2.0.0-M2, 2.0.0-M3, 2.0.0-M4 and 2.0.0-RC1 are affected by a remote code execution vulnerability caused by insecure YAML deserialization when using the class UrlConfigSource for loading configuration files remotely.
RCA
The class YamlConfigParser (https://github.com/oracle/helidon/blob/2.0.0-RC1/config/yaml/src/main/java/io/helidon/config/yaml/YamlConfigParser.java) uses the library SnakeYAML insecurely by loading the Yaml() constructor then yaml.loadAs() without the class org.yaml.snakeyaml.constructor.SafeConstructor. Developers believe incorrectly that a safe constructor was used implicitly when using java.util.Map as a type, as suggested in this PR (helidon-io/helidon#2019) introduced to remove the "false positive" alert from lgtm.com. No security advisory or fix was published for the affected versions for this reason.
Since obtaining Remote Code Execution is possible even when mapping to the class Map, Java applications using Oracle Helidon versions 0.9.x, 0.10.x, 0.11.x, 1.0.x, 1.1.x, 1.2.x, 1.3.x, 1.4.x, 2.0.0-M1, 2.0.0-M2, 2.0.0-M3, 2.0.0-M4 and 2.0.0-RC1 are still affected and exposed for exploitation.
There are two code paths reachable for exploitation:
#1 -
ConfigParser.Content<Instant> genericContent(URLConnection urlConnection)in /config/config/src/main/java/io/helidon/config/UrlConfigSource.java:120 ->yaml.loadAs(ConfigHelper.createReader((Readable) readable), Map.class)in /config/config/src/main/java/io/helidon/config/yaml/internal/YamlConfigParser.java:84#2 -
ConfigParser.Content<Instant> httpContent(HttpURLConnection connection)in /config/config/src/main/java/io/helidon/config/UrlConfigSource.java:139 ->yaml.loadAs(ConfigHelper.createReader((Readable) readable), Map.class)in /config/config/src/main/java/io/helidon/config/yaml/internal/YamlConfigParser.java:84PoC
Additional resources