Bug 1968412 (CVE-2021-3583)

Summary: CVE-2021-3583 ansible: Template Injection through yaml multi-line strings with ansible facts used in template.
Product: [Other] Security Response Reporter: Tapas Jena <tjena>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: a.badger, asherlan, bcoca, chousekn, cmeyers, davidn, dylan, gblomqui, jcammara, jhardy, jjoyce, jobarker, jschluet, kevin, lhh, lpeer, mabashia, maxim, mburns, notting, osapryki, patrick, relrod, rpetrell, sclewis, sdoran, security-response-team, slinaber, smcdonal, tkuratom, tuxmealux+redhatbz
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ansible_tower 3.7, ansible_engine 2.9.23 Doc Type: ---
Doc Text:
A flaw was found in Ansible, where a user's controller is vulnerable to template injection. This issue can occur through facts used in the template if the user is trying to put templates in multi-line YAML strings and the facts being handled do not routinely include special template characters. This flaw allows attackers to perform command injection, which discloses sensitive information. The highest threat from this vulnerability is to confidentiality and integrity.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-07-07 10:40:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1976097, 1969274, 1969275, 1976092, 1976093, 1976096, 1976098    
Bug Blocks: 1967965, 1968686, 2002257    

Description Tapas Jena 2021-06-07 10:57:58 UTC 
if there are ansible users out there who are trying to put templates in multi-line yaml strings(https://yaml-multiline.info/), and the facts being
handled don't routinely include special template characters, then their controller will be vulnerable to a template injection through the facts used in template.
Comment 2 Tapas Jena 2021-06-08 06:13:27 UTC 
Analysis is complete and its found to be a legitimate issue. The issue has been successfully reproduced. Hence, marking it as "Affected" -> "fix" for AAP 1 and Ansible Tower.
Comment 7 Tapas Jena 2021-06-25 08:08:42 UTC 
Created ansible tracking bugs for this issue:

Affects: epel-all [bug 1976097]
Affects: fedora-all [bug 1976096]
Affects: openstack-rdo [bug 1976098]
Comment 8 errata-xmlrpc 2021-07-07 04:45:15 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.9 for RHEL 8
  Red Hat Ansible Engine 2.9 for RHEL 7

Via RHSA-2021:2663 https://access.redhat.com/errata/RHSA-2021:2663
Comment 9 errata-xmlrpc 2021-07-07 04:45:59 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2 for RHEL 8
  Red Hat Ansible Engine 2 for RHEL 7

Via RHSA-2021:2664 https://access.redhat.com/errata/RHSA-2021:2664
Comment 10 Product Security DevOps Team 2021-07-07 10:40:38 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3583