Bug 1596528 (CVE-2018-10874)

Summary: CVE-2018-10874 ansible: Inventory variables are loaded from current working directory when running ad-hoc command that can lead to code execution
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: a.badger, abhgupta, ahardin, aos-bugs, apevec, athmanem, bbuckingham, bcourt, bkearney, bleanhar, bmcclain, ccoleman, chrisw, cpelland, cshereme, dajohnso, dbaker, dbecker, dblechte, dedgar, dfediuck, dmetzger, dominik.mierzejewski, edube, eedri, eparis, gblomqui, gmccullo, gtanzill, jcammara, jfrey, jgoulding, jhardy, jjoyce, jmatthew, jokerman, jprause, jschluet, jupierce, kbasil, kdixon, kevin, lhh, lpeer, markmc, maxim, mburns, mchappel, mgoldboi, michal.skrivanek, mmccomas, mmccune, mrike, obarenbo, ohadlevy, pcahyna, rbryant, rchan, rhos-maint, rjerrido, roliveri, sbonazzo, sclewis, security-response-team, sherold, simaishi, sisharma, slinaber, smallamp, smunilla, ssaha, sthangav, tbielawa, tcarlin, tdecacqu, tkuratom, trankin, tsanders, tvignaud, vbellur
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20180629,reported=20180628,source=redhat,cvss3=7.8/CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H,cwe=CWE-426,ansible_engine-2/ansible=affected,ceph-2/ansible=affected,ceph-3/ansible=affected,rhn_satellite_6/ansible=notaffected,rhev-m-4/ansible=affected,rhes-3/ansible=affected,cfme-5/ansible=notaffected,openshift-enterprise-3/ansible=affected,openshift-online-3/ansible=notaffected,openstack-10/ansible=affected,openstack-12/ansible=affected,openstack-13/ansible=affected,qci-1/ansible=new,fedora-all/ansible=affected,epel-all/ansible=affected,openstack-14/ansible=notaffected
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:30:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 1610582, 1610583, 1598807, 1598808, 1598809, 1598810, 1598811, 1598812, 1599296, 1602768, 1602769, 1602770, 1602771, 1607723, 1610584, 1636192, 1636194    
Bug Blocks: 1595939    

Description Adam Mariš 2018-06-29 07:56:12 UTC
It was found that inventory variables are loaded from current working directory when running ad-hoc command which are under attacker's control, allowing to run arbitrary code as a result.

Comment 1 Laura Pardo 2018-06-29 15:08:09 UTC
Acknowledgments:

Name: Michael Scherer (OSAS)

Comment 2 Borja Tarraso 2018-07-06 13:54:01 UTC
Created ansible tracking bugs for this issue:

Affects: epel-all [bug 1598810]
Affects: fedora-all [bug 1598809]

Comment 6 errata-xmlrpc 2018-07-10 09:48:47 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.5 for RHEL 7

Via RHSA-2018:2150 https://access.redhat.com/errata/RHSA-2018:2150

Comment 7 errata-xmlrpc 2018-07-10 11:32:38 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2 for RHEL 7

Via RHSA-2018:2151 https://access.redhat.com/errata/RHSA-2018:2151

Comment 8 errata-xmlrpc 2018-07-10 12:56:08 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.4 for RHEL 7

Via RHSA-2018:2152 https://access.redhat.com/errata/RHSA-2018:2152

Comment 9 errata-xmlrpc 2018-07-10 17:19:58 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.6 for RHEL 7

Via RHSA-2018:2166 https://access.redhat.com/errata/RHSA-2018:2166

Comment 12 errata-xmlrpc 2018-07-31 17:49:29 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7

Via RHSA-2018:2321 https://access.redhat.com/errata/RHSA-2018:2321

Comment 17 errata-xmlrpc 2018-08-29 16:05:03 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 13.0 (Queens)

Via RHSA-2018:2585 https://access.redhat.com/errata/RHSA-2018:2585

Comment 22 errata-xmlrpc 2019-01-16 17:10:01 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 10.0 (Newton)

Via RHSA-2019:0054 https://access.redhat.com/errata/RHSA-2019:0054