Bug 1565862 (CVE-2018-1104)

Summary: CVE-2018-1104 ansible-tower: Remote code execution by users with access to define variables in job templates
Product: [Other] Security Response Reporter: Sam Fowler <sfowler>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: cpelland, dajohnso, gblomqui, gmccullo, gtanzill, hhudgeon, jfrey, jhardy, jprause, mglantz, obarenbo, roliveri, rpetrell, security-response-team, simaishi, simon, sudo
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ansible-tower 3.1.6, ansible-tower 3.2.4 Doc Type: If docs needed, set a value
Doc Text:
Ansible Tower through version 3.2.3 has a vulnerability that allows users only with access to define variables for a job template to execute arbitrary code on the Tower server.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:19:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1572740, 1572747, 1572748    
Bug Blocks: 1565867    

Description Sam Fowler 2018-04-11 00:16:19 UTC 
Ansible Tower through version 3.2.3 has a vulnerability that allows users only with access to define variables for a job template to execute arbitrary code on the Tower server.
Comment 1 Sam Fowler 2018-04-11 00:16:29 UTC 
Acknowledgments:

Name: Simon Vikström
Comment 2 Magnus Glantz 2018-04-13 10:12:58 UTC 
The only way around this, as far as I can see, is to restrict ability to define extra variables for job templates (includes ability to define variables at the all levels, including from the inventory, a.s.o.). This, naturally, is crippling to the functionality of Tower. Anyone involved in playbook/role/inventory development/administration would have the ability to execute this exploit.

Also, it would be possible for someone to craft a role, put it in Ansible Galaxy to attack any users using it.
Comment 4 Kurt Seifried 2018-05-02 16:05:21 UTC 
This is now public: https://www.ansible.com/security
Comment 5 Kurt Seifried 2018-05-02 16:06:12 UTC 
This issue has been addressed in Ansible Tower release 3.1.6 and 3.2.4, for more information please see https://www.ansible.com/security
Comment 6 errata-xmlrpc 2018-05-07 20:42:24 UTC 
This issue has been addressed in the following products:

  CloudForms Management Engine 5.9

Via RHSA-2018:1328 https://access.redhat.com/errata/RHSA-2018:1328
Comment 7 errata-xmlrpc 2018-06-25 14:16:56 UTC 
This issue has been addressed in the following products:

  CloudForms Management Engine 5.8

Via RHSA-2018:1972 https://access.redhat.com/errata/RHSA-2018:1972