Bug 1388113 (CVE-2016-8628)

Summary: CVE-2016-8628 ansible: Command injection by compromised server via fact variables
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aortega, apevec, arubin, ayoung, bleanhar, ccoleman, chrisw, cvsbot-xmlrpc, dedgar, dmcphers, gmollett, jgoulding, jialiu, jjoyce, jkeck, jmatthew, joelsmith, jokerman, jschluet, kbasil, kdube, kseifried, lhh, lmeyer, lpeer, markmc, mmccomas, mscherer, nthomas, rbryant, rcyriac, sankarshan, sclewis, security-response-team, sgirijan, sisharma, slinaber, smallamp, smohan, ssaha, tcarlin, tdawson, tdecacqu, tsanders, tvignaud, vbellur
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Ansible 2.2.0 Doc Type: If docs needed, set a value
Doc Text:
Ansible fails to properly sanitize fact variables sent from the Ansible controller. An attacker with the ability to create special variables on the controller could execute arbitrary commands on Ansible clients as the user Ansible runs as.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2016-12-15 05:30:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1390646, 1390647, 1390648, 1390649, 1390681, 1396333    
Bug Blocks: 1388114    

Description Adam Mariš 2016-10-24 13:37:25 UTC 
It was found that it's possible to inject code and gain remote code execution via setting ansible_ssh_executable variable by attacker that takes over of controlled server.
Comment 1 Adam Mariš 2016-10-24 13:37:55 UTC 
Acknowledgments:

Name: Michael Scherer (Red Hat)
Comment 2 Kurt Seifried 2016-11-01 15:23:05 UTC 
Created ansible1.9 tracking bugs for this issue:

Affects: fedora-all [bug 1390647]
Affects: epel-all [bug 1390649]
Comment 3 Kurt Seifried 2016-11-01 15:23:26 UTC 
Created ansible tracking bugs for this issue:

Affects: fedora-all [bug 1390646]
Affects: epel-all [bug 1390648]
Comment 4 Kurt Seifried 2016-11-01 15:28:46 UTC 
This issue is addressed in Ansible 2.2.0 available at:

https://github.com/ansible/ansible/releases/tag/v2.2.0.0-1
Comment 5 Kurt Seifried 2016-11-01 15:34:58 UTC 
Downgrading this issue from High to Medium as it requires a compromised server in order to exploit a client.
Comment 8 Kurt Seifried 2016-11-14 18:24:00 UTC 
Updated affects, 1.9 is not affected.
Comment 9 errata-xmlrpc 2016-11-15 19:09:59 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Enterprise 3.2
  Red Hat OpenShift Container Platform 3.3

Via RHSA-2016:2778 https://access.redhat.com/errata/RHSA-2016:2778