Symptoms:
In the on-Prem codebase, PyYaml is used only during functional tests which are not shipped to production.
vRealize Operations is not impacted by mentioned vulnerabilities.
On vRealize Operations Cloud Proxy, only the salt-master docker container uses the pyyaml library.
The salt state files are in JINJA.
pyyaml is used to convert validated JINJA files packaged with ARC to YAML during execution of the salt state file.
There is no untrusted input.
Calls in salt-master always use safe_load(), there is no usage of PyYaml problematic load functions.
vRealize Operations Cloud Proxy is not impacted by mentioned vulnerabilities.
On the Application Remote Collector appliance, only the salt-master docker container uses the pyyaml library.
The salt state files are in JINJA.
pyyaml is used to convert validated JINJA files packaged with ARC to YAML during execution of the salt state file.
There is no untrusted input.
Calls in salt-master always use safe_load(), there is no usage of PyYaml problematic load functions.
Also there is only one user, root, on the ARC VA.
Hence, the only way some untrusted yaml could be executed on the salt master, is if a root breach happens.
Application Remote Collector appliance is not impacted by mentioned vulnerabilities.