CVE-2022-38749 Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS)

For example, an attacker may inject malicious data into the file that causes the parser to crash. The attacker may do this by for example, creating a large number of nested brackets inside a single bracket, or creating a large number of long lines inside a single line. The parser will then crash when it tries to handle the input because it did not expect it.

Moreover, input supplied by a user (for example, in web applications) may contain malicious data. This means that if an attacker can control the input that the parser receives and inject malicious data, the attacker can cause a Denial of Service.

Depending on the context in which the parser is running, YAML files may be trusted. For example, if the parser is running on a remote server, the server administrator may decide that the input is trusted and therefore may decide to parse untrusted YAML data.

YAML Parser Denial of Service with Syntax Strings

An attacker may create a large number of nested brackets inside a single bracket and cause the parser to crash.
Input supplied by a user (for example, in web applications) may contain malicious data that causes the parser to crash.

How to use this guide

If you are using a parser that has been affected by CVE-2022-38749, there is a small chance that attackers can cause Denial of Service by injecting malicious data into the input. This guide will help you to identify your parser and ensure that it is safe to use.

The first step is to check whether your parser has been affected by CVE-2022-38749. If it has not been affected, then this guide will not be useful for you but we recommend checking out our other guides on parsing YAML in other languages (C++ and Python).

To check whether your parser has been affected by CVE-2022-38749, you can run the following command:
python -c 'from pprint import pprint; print("CVE-2022-38749")' | grep -q '^CVE-'
If the output of the above command contains "CVE-" (for example "CVE-2017-14732"), then your parser has been affected. This means that attackers may cause Denial of Service by injecting malicious data into the input.

YAML Parser Denial of Service Vulnerabilities

YAML parsers are vulnerable to denial of service attacks that can cause a Denial of Service. Depending on the context in which the parser is running, YAML files may be trusted. For example, if the parser is running on a remote server, the server administrator may decide that the input is trusted and therefore may decide to parse untrusted YAML data.
In other cases, an attacker may inject malicious data into the file that causes the parser to crash. The attacker may do this by for example, creating a large number of nested brackets inside a single bracket, or creating a large number of long lines inside a single line. The parser will then crash when it tries to handle the input because it did not expect it.

How to trigger Denial of Service

To trigger a Denial of Service, an attacker must control the input that is being parsed. This requires first gaining access to the system that is parsing YAML data. There are many ways by which an attacker can gain access to a remote server without having to compromise the server administrator's account (it is recommended that you use secure protocols when communicating with remote servers).
Once an attacker has gained access to a remote system, they can start sending malicious input to the parser.

Timeline

Published on: 09/05/2022 10:15:00 UTC
Last modified on: 09/08/2022 18:14:00 UTC

References