Bug 2028121 (CVE-2021-4112)

Summary: CVE-2021-4112 ansible-tower: Privilege escalation via job isolation escape
Product: [Other] Security Response Reporter: Vipul Nair <vinair>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: bcoca, chousekn, davidn, gblomqui, jcammara, jhardy, jobarker, mabashia, notting, osapryki, relrod, rpetrell, simaishi, smcdonal, tkuratom
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in ansible-tower where the default installation is vulnerable to job isolation escape. This flaw allows an attacker to elevate the privilege from a low privileged user to an AWX user from outside the isolated environment.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-02-08 22:13:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2028399, 2028400, 2028522    
Bug Blocks: 1983057    

Description Vipul Nair 2021-12-01 14:20:45 UTC 
A researcher found a trivial bypass for CVE-2021-20253 by sending a mail to awx user, thereby leveraging postfix to create a folder, owned by awx, then placing a binary in that folder that lets a low privilege user to elevate to awx outside the isolation jail.
Comment 6 errata-xmlrpc 2022-02-08 03:40:39 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.1 for RHEL 8

Via RHSA-2022:0460 https://access.redhat.com/errata/RHSA-2022:0460
Comment 7 errata-xmlrpc 2022-02-08 14:57:27 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.0 for RHEL 8

Via RHSA-2022:0474 https://access.redhat.com/errata/RHSA-2022:0474
Comment 8 errata-xmlrpc 2022-02-08 21:31:54 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Tower 3.8 for RHEL 7

Via RHSA-2022:0482 https://access.redhat.com/errata/RHSA-2022:0482
Comment 9 Product Security DevOps Team 2022-02-08 22:13:20 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-4112
Comment 10 Satoe Imaishi 2022-02-15 18:58:22 UTC 
For Ansible Tower 3.8, this is addressed in ansible-tower 3.8.5-2 and ansible-runner 1.4.7-2 rpms, which are included in ansible-tower-setup-bundle-3.8.5-2.tar.gz/ansible-automation-platform-setup-bundle-1.2.6-2.tar.gz.