CVE-2019-20477, CVE-2020-1747 - PyYAML: arbitrary command executions in vRealize Operations

Products

VMware Aria Suite

Issue/Introduction

Symptoms:

Security scans running on vRealize Operations, vRealize Operations Cloud proxy and standalone Application Remote Collector appliances might report CVE-2019-20477, CVE-2020-1747 vulnerabilities, similar to the below:

CVE-2019-20477:

PyYAML 5.1 through 5.1.2 has insufficient restrictions on the load and load_all functions because of a class deserialization issue.

According to PyYAML Wiki - https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation :

"PyYAML's load function has been unsafe since the first release in May 2006. It has always been documented that way in bold type: PyYAMLDocumentation. PyYAML has always provided a safe_load function that can load a subset of YAML without exploit."

According to MISC:https://www.exploit-db.com/download/47655 :

The proper mitigation to avoid RCE during the processing of YAML data is to use safe_load(), safe_load_all(), load(‘data’, Loader=SafeLoader) functions to deserialize data.

CVE-2020-1747:

A vulnerability was discovered in the PyYAML library in versions before 5.3.1, where it is susceptible to arbitrary code execution when it processes untrusted YAML files through the full_load method or with the FullLoader loader

According to https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1747:

“When untrusted input needs to be parsed, `SafeLoader` or `yaml.safe_load` must be used instead. This has been documented for a very long time in PyYAML.”

According to PyYAML Wiki - https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation :

"PyYAML's load function has been unsafe since the first release in May 2006. It has always been documented that way in bold type: PyYAMLDocumentation. PyYAML has always provided a safe_load function that can load a subset of YAML without exploit."

Environment

VMware vRealize Operations 8.x

Resolution

vRealize Operations

In the on-Prem codebase, PyYaml is used only during functional tests which are not shipped to production.

vRealize Operations is not impacted by mentioned vulnerabilities.

vRealize Operations Cloud Proxy

On vRealize Operations Cloud Proxy, only the salt-master docker container uses the pyyaml library.
The salt state files are in JINJA.
pyyaml is used to convert validated JINJA files packaged with ARC to YAML during execution of the salt state file.
There is no untrusted input.
Calls in salt-master always use safe_load(), there is no usage of PyYaml problematic load functions.

vRealize Operations Cloud Proxy is not impacted by mentioned vulnerabilities.

Application Remote Collector appliance

On the Application Remote Collector appliance, only the salt-master docker container uses the pyyaml library.
The salt state files are in JINJA.
pyyaml is used to convert validated JINJA files packaged with ARC to YAML during execution of the salt state file.
There is no untrusted input.
Calls in salt-master always use safe_load(), there is no usage of PyYaml problematic load functions.
Also there is only one user, root, on the ARC VA.
Hence, the only way some untrusted yaml could be executed on the salt master, is if a root breach happens.

Application Remote Collector appliance is not impacted by mentioned vulnerabilities.

Additional Information

PyYAML Wiki
bugzilla.redhat.com
Saltstack Wiki