Bug 1485474 (CVE-2017-12148)

Summary: CVE-2017-12148 Ansible Tower:modification of git hooks in SCM repo via upstream playbook execution
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: cpelland, dajohnso, dclarizi, gblomqui, gmainwar, gmccullo, gtanzill, hhudgeon, jfrey, jhardy, jlaska, jprause, kseifried, notting, obarenbo, roliveri, security-response-team, simaishi, yjog
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ansible_tower 3.1.5, ansible_tower 3.2.0 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Tower's interface with SCM repositories. If a Tower project (SCM repository) definition does not have the 'delete before update' flag set, an attacker with commit access to the upstream playbook source repository could create a Trojan playbook that, when executed by Tower, modifies the checked out SCM repository to add git hooks. These git hooks could, in turn, cause arbitrary command and code execution as the user Tower runs as.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2017-12-11 12:08:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1485484, 1485485, 1490002, 1490003, 1490004    
Bug Blocks: 1485482    

Description Kurt Seifried 2017-08-25 20:56:48 UTC 
If a Tower project (SCM repo) definition does not have the 'delete before update' flag set, a user who has commit access to the upstream playbook source repo could create a trojan playbook that, when executed by Tower, modifies the checked out SCM repository to add git hooks.

On the next SCM update, these git hooks would then run, therefore running arbitrary code as the 'awx' (Tower service) user.
Comment 2 Borja Tarraso 2017-09-07 09:30:19 UTC 
Acknowledgments:

Name: Ryan Petrello (Red Hat)
Comment 5 errata-xmlrpc 2017-10-24 00:42:57 UTC 
This issue has been addressed in the following products:

  CloudForms Management Engine 5.8

Via RHSA-2017:3005 https://access.redhat.com/errata/RHSA-2017:3005