Bug 1450018 (CVE-2017-7481)

Summary: CVE-2017-7481 ansible: Security issue with lookup return not tainting the jinja2 environment
Product: [Other] Security Response Reporter: Borja Tarraso <btarraso>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: a.badger, apevec, athmanem, ayoung, bleanhar, bmcclain, btarraso, ccoleman, chrisw, cvsbot-xmlrpc, dblechte, dedgar, dmcphers, eedri, jgoulding, jialiu, jjoyce, jkeck, jschluet, kbasil, kevin, lhh, lpeer, markmc, mark, maxim, mgoldboi, michal.skrivanek, rbryant, rhos-maint, sbonazzo, sclewis, sisharma, slinaber, slong, tdawson, tdecacqu, toromoti, tvignaud, ykaul
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ansible 2.3.1.0, ansible 2.4.0.0 Doc Type: If docs needed, set a value
Doc Text:
An input validation flaw was found in Ansible, where it fails to properly mark lookup-plugin results as unsafe. If an attacker could control the results of lookup() calls, they could inject Unicode strings to be parsed by the jinja2 templating system, resulting in code execution. By default, the jinja2 templating language is now marked as 'unsafe' and is not evaluated.
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 03:12:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1474160, 1441482, 1441485, 1450279, 1450280, 1451059, 1451060, 1451061, 1451062, 1455377, 1455378, 1461920, 1470914    
Bug Blocks: 1450036, 1453037    

Description Borja Tarraso 2017-05-11 11:59:49 UTC
Jason McKerr of Red Hat reports:

Data returned in lookup() variables is not marked as unsafe and could result in unicode strings being passed through to the jinja2 templating system.

Comment 3 Andrej Nemec 2017-05-12 07:02:28 UTC
Created ansible tracking bugs for this issue:

Affects: epel-all [bug 1450280]
Affects: fedora-all [bug 1450279]

Comment 9 errata-xmlrpc 2017-05-17 17:42:10 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.2
  Red Hat OpenShift Container Platform 3.3
  Red Hat OpenShift Container Platform 3.4
  Red Hat OpenShift Container Platform 3.5

Via RHSA-2017:1244 https://access.redhat.com/errata/RHSA-2017:1244

Comment 12 Andrej Nemec 2017-05-25 15:30:55 UTC
Acknowledgments:

Name: Evgeni Golov (Red Hat)

Comment 13 errata-xmlrpc 2017-05-25 17:14:57 UTC
This issue has been addressed in the following products:

  Red Hat Gluster Storage 3.2 for RHEL 7

Via RHSA-2017:1334 https://access.redhat.com/errata/RHSA-2017:1334

Comment 14 errata-xmlrpc 2017-05-25 17:44:47 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.2
  Red Hat OpenShift Container Platform 3.3
  Red Hat OpenShift Container Platform 3.4
  Red Hat OpenShift Container Platform 3.5

Via RHSA-2017:1244 https://access.redhat.com/errata/RHSA-2017:1244

Comment 16 errata-xmlrpc 2017-06-15 22:28:24 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 11.0 (Ocata)

Via RHSA-2017:1476 https://access.redhat.com/errata/RHSA-2017:1476

Comment 17 errata-xmlrpc 2017-06-19 13:35:42 UTC
This issue has been addressed in the following products:

  Red Hat Storage Console 2 for Red Hat Enteprise Linux 7

Via RHSA-2017:1499 https://access.redhat.com/errata/RHSA-2017:1499

Comment 20 errata-xmlrpc 2017-06-28 15:21:52 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 10.0 (Newton)

Via RHSA-2017:1599 https://access.redhat.com/errata/RHSA-2017:1599

Comment 23 errata-xmlrpc 2017-08-22 17:44:25 UTC
This issue has been addressed in the following products:

  RHEV Engine version 4.1

Via RHSA-2017:2524 https://access.redhat.com/errata/RHSA-2017:2524