Bug 1801804 (CVE-2020-1734)
| Summary: | CVE-2020-1734 ansible: shell enabled by default in a pipe lookup plugin subprocess | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Borja Tarraso <btarraso> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED WONTFIX | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | a.badger, amctagga, amoralej, anharris, bniver, carnil, dbecker, dmetzger, flucifre, gblomqui, gmainwar, gmccullo, gmeno, gtanzill, hvyas, jcammara, jfrey, jhardy, jjoyce, jlaska, jschluet, jtanner, kbasil, kdixon, kevin, lhh, lpeer, maxim, mbenjamin, mburns, mhackett, obarenbo, puebele, rhos-maint, roliveri, sclewis, security-response-team, simaishi, sisharma, slinaber, slong, smallamp, tkuratom, tvignaud, vbellur, vereddy |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
A flaw was found in the pipe lookup plugin of ansible. Arbitrary commands can be run, when the pipe lookup plugin uses subprocess.Popen() with shell=True, by overwriting ansible facts and the variable is not escaped by quote plugin. An attacker could take advantage and run arbitrary commands by overwriting the ansible facts.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-05-27 13:45:06 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1804361, 1804362, 1804363, 1804364, 1805338, 1805339, 1805354, 1805355, 1805356, 1805357, 1805471, 1807372, 1807874, 1814763 | ||
| Bug Blocks: | 1801714 | ||
|
Description
Borja Tarraso
2020-02-11 16:29:58 UTC
Acknowledgments: Name: Damien Aumaitre (Quarkslab), Nicolas Surbayrole (Quarkslab) Created ansible tracking bugs for this issue: Affects: epel-all [bug 1805339] Affects: fedora-all [bug 1805338] Working to provide additional information regarding this issue; more details as you requested, affected versions as well as upstream links in case we already have. Prioritising this for now. This was already reported (see https://github.com/ansible/ansible/issues/6550) but not fixed. The suggested correction is to use shell=False by default and add an argument to set it to True if needed. This issue seems it affects all supported versions. Red Hat CloudForms Management Engine 5.9 is in maintenance phase and we're no longer fixing "Medium" severity CVEs. Mitigation: This issue can be avoided by escaping variables which are used in the lookup. Upstream fix: https://github.com/ansible/ansible/issues/67792 Created ansible tracking bugs for this issue: Affects: openstack-rdo [bug 1807874] Red Hat Gluster Storage and Red Hat Ceph Storage no longer maintains its own version of Ansible. The fix will be provided from core Ansible. But we still ship ansible separately for ceph ubuntu. CloudForms 5.11 do not use ansible-tower and 5.10 only using ansible-tower-venv-ansible atm. Statement: Ansible Engine 2.7.16, 2.8.10, and 2.9.6 as well as previous versions are affected. Ansible Tower 3.4.5, 3.5.5 and 3.6.3 as well as previous versions are affected. In Red Hat OpenStack Platform, because the flaw has a lower impact, ansible is not directly customer exposed, and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP ansible package. |